diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.1_p1-enable-dss.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.1_p1-enable-dss.patch
new file mode 100644
index 0000000000..577d392f64
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.1_p1-enable-dss.patch
@@ -0,0 +1,43 @@
+From c3fa4699b9b761be1b406dcdd22344d56efd703b Mon Sep 17 00:00:00 2001
+From: Nick Owens <mischief@coreos.com>
+Date: Mon, 30 Nov 2015 18:48:05 -0800
+Subject: [PATCH] partial revert of 3a1638dda19bbc73d0ae02b4c251ce08e564b4b9
+
+in 3a1638dda19bbc73d0ae02b4c251ce08e564b4b9 from
+git://anongit.mindrot.org/openssh.git, DSA (ssh-dss) key support was
+removed. re-enable DSA key suport by adding back
+ssh-dss-cert-v01@openssh.com and ssh-dss back to KEX_DEFAULT_PK_ALG.
+
+this patch was generated with the following command on the above repo:
+
+git diff -R 3a1638dda19bbc73d0ae02b4c251ce08e564b4b9^..3a1638dda19bbc73d0ae02b4c251ce08e564b4b9 -- myproposal.h
+---
+ myproposal.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/myproposal.h b/myproposal.h
+index 46e5b98..371f27c 100644
+--- a/myproposal.h
++++ b/myproposal.h
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: myproposal.h,v 1.47 2015/07/10 06:21:53 markus Exp $ */
++/* $OpenBSD: myproposal.h,v 1.46 2015/07/03 03:47:00 djm Exp $ */
+ 
+ /*
+  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+@@ -99,9 +99,11 @@
+ 	HOSTKEY_ECDSA_CERT_METHODS \
+ 	"ssh-ed25519-cert-v01@openssh.com," \
+ 	"ssh-rsa-cert-v01@openssh.com," \
++	"ssh-dss-cert-v01@openssh.com," \
+ 	HOSTKEY_ECDSA_METHODS \
+ 	"ssh-ed25519," \
+-	"ssh-rsa" \
++	"ssh-rsa," \
++	"ssh-dss"
+ 
+ /* the actual algorithms */
+ 
+-- 
+2.4.10
+
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.1_p1-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.1_p1-r3.ebuild
similarity index 98%
rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.1_p1-r2.ebuild
rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.1_p1-r3.ebuild
index dc804ca1d5..9f36aa8d05 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.1_p1-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.1_p1-r3.ebuild
@@ -157,6 +157,10 @@ src_prepare() {
 	)
 	sed -i "${sed_args[@]}" configure{.ac,} || die
 
+	# in CoreOS, we wish to keep ssh-dss around for a while longer while we give
+	# users time to get rid of their ssh-dss keys.
+	epatch "${FILESDIR}"/${PN}-7.1_p1-enable-dss.patch
+
 	epatch_user #473004
 
 	# Now we can build a sane merged version.h