common/fa-t14-2025: add oldssh

common/oldssh.nix

@@ -0,0 +1,44 @@
+# Credit https://git.pvv.ntnu.no/oysteikt 2026
+
+{
+  openssh,
+  fetchurl,
+  lib
+}:
+
+openssh.overrideAttrs (prev: rec {
+  # Old crypto was removed in v10.0
+  version = "9.9p2";
+  src = fetchurl {
+    url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
+    hash = "sha256-karbYD4IzChe3fll4RmdAlhfqU2ZTWyuW0Hhch4hVnM=";
+  };
+
+  configureFlags = prev.configureFlags ++ [
+    "--enable-dsa-keys"
+  ];
+
+  # Broken patches, meant for 10.3p :p
+  patches = lib.filter (x: !(lib.any (suf: lib.hasSuffix suf (baseNameOf x)) [
+    "dont_create_privsep_path.patch"
+    "pkcs11-fix-pinentry.patch"
+    "pkcs11-tests-allow-module-path.patch"
+    "ssh-agent-tests-increase-timeout.patch"
+  ])) prev.patches;
+
+  # We actually needed the `dont_create_privsep_path` one :3
+  postPatch = prev.postPatch + ''
+    substituteInPlace Makefile.in \
+      --replace-fail '$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)' '''
+  '';
+
+  # Tihi
+  doInstallCheck = false;
+  postFixup = ''
+    rm -rf $out/libexec $out/etc
+    rm $out/bin/ssh-* $out/bin/sshd $out/bin/sftp
+    cd $out/bin
+    for filename in *; do mv {,old}"$filename"; done;
+  '';
+})
+

flake.nix

@@ -59,6 +59,8 @@
         pwndbg = pwndbg.packages."${prev.system}".default;
 
         securecrt = prev.callPackage ./common/securecrt.nix { };
+
+        oldssh = prev.callPackage ./common/oldssh.nix { };
       };
     in
     {

hosts/fa-t14-2025/home.nix

@@ -20,6 +20,7 @@ in {
     libreoffice
     mpv
     oauth2ms
+    oldssh
     openssl
     openvpn
     pavucontrol
@@ -82,6 +83,7 @@ in {
     zsh = {
       shellAliases = {
         "kssh" = "ssh -t controlnode ssh";
+        "ossh" = "oldssh -oHostKeyAlgorithms=+ssh-dss -oCiphers=+aes256-cbc -oKexAlgorithms=+diffie-hellman-group14-sha1";
         "rebuild" = "sudo nixos-rebuild switch --flake /config";
       };
       prezto.pmodules = [ "ssh" ];