diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix
index 1ad45f468030..cc835081c9f9 100644
--- a/nixos/modules/programs/ssh.nix
+++ b/nixos/modules/programs/ssh.nix
@@ -189,6 +189,7 @@ in
 
         # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.)
         PubkeyAcceptedKeyTypes +ssh-dss
+        HostKeyAlgorithms +ssh-dss
 
         ${cfg.extraConfig}
       '';
diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index 957d5e715e78..19b96fdc8dd5 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -41,7 +41,9 @@ stdenv.mkDerivation rec {
     '';
 
   patches =
-    [ ./locale_archive.patch ]
+    [ ./locale_archive.patch
+      ./fix-host-key-algorithms-plus.patch
+    ]
     ++ optional withGssapiPatches gssapiSrc;
 
   buildInputs = [ zlib openssl libedit pkgconfig pam ]
diff --git a/pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch b/pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch
new file mode 100644
index 000000000000..02846e9bdad2
--- /dev/null
+++ b/pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch
@@ -0,0 +1,52 @@
+Specifying "HostKeyAlgorithms +ssh-dds" does not work properly because
+setting any value for HostKeyAlgorithms causes the known host keys to
+be ignored for the purpose of determining the priority of algorithms.
+This was fixed upstream for HostKeyAlgorithms in sshd_config, but not
+in ssh_config. The fix is to apply order_hostkeyalgs() if the user
+specifies a HostKeyAlgorithms starting with "+".
+
+diff -ru -x '*~' openssh-7.2p2-orig/sshconnect2.c openssh-7.2p2/sshconnect2.c
+--- openssh-7.2p2-orig/sshconnect2.c	2016-03-09 19:04:48.000000000 +0100
++++ openssh-7.2p2/sshconnect2.c	2016-04-01 15:39:45.140945902 +0200
+@@ -100,7 +100,7 @@
+ }
+ 
+ static char *
+-order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
++order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port, char *algs)
+ {
+ 	char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
+ 	size_t maxlen;
+@@ -116,7 +116,7 @@
+ 	for (i = 0; i < options.num_system_hostfiles; i++)
+ 		load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
+ 
+-	oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
++	oavail = avail = xstrdup(algs);
+ 	maxlen = strlen(avail) + 1;
+ 	first = xmalloc(maxlen);
+ 	last = xmalloc(maxlen);
+@@ -181,18 +181,21 @@
+ 	myproposal[PROPOSAL_MAC_ALGS_CTOS] =
+ 	    myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
+ 	if (options.hostkeyalgorithms != NULL) {
++		int append = options.hostkeyalgorithms[0] == '+';
+ 		if (kex_assemble_names(KEX_DEFAULT_PK_ALG,
+ 		    &options.hostkeyalgorithms) != 0)
+ 			fatal("%s: kex_assemble_namelist", __func__);
+ 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
+-		    compat_pkalg_proposal(options.hostkeyalgorithms);
++		    compat_pkalg_proposal(append
++			? order_hostkeyalgs(host, hostaddr, port, options.hostkeyalgorithms)
++			: options.hostkeyalgorithms);
+ 	} else {
+ 		/* Enforce default */
+ 		options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
+ 		/* Prefer algorithms that we already have keys for */
+ 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
+ 		    compat_pkalg_proposal(
+-		    order_hostkeyalgs(host, hostaddr, port));
++		    order_hostkeyalgs(host, hostaddr, port, KEX_DEFAULT_PK_ALG));
+ 	}
+ 
+ 	if (options.rekey_limit || options.rekey_interval)