[Thijs Eilander]

If it is possible create a new ssh key without rsa/rsa1, it’s unsafe to use.
Or add PubkeyAcceptedAlgorithms +ssh-rsa and don’t overwrite the config on upgrade

I see debian has a recent 9.0 package in bookwork/sid, I’ll import that one soon and see how they handle this problem.