diff --git a/freeipa.spec.in b/freeipa.spec.in
index c14eaf7bc..148d8fd74 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -963,6 +963,10 @@ if [ $1 -gt 1 ] ; then
     if [ $restore -ge 2 ]; then
         %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1
     fi
+
+    if [ $restore -ge 2 ]; then
+        sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' /etc/ssh/ssh_config
+    fi
 fi
 
 
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index cc830f1ff..34b2d1a6e 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -1116,7 +1116,6 @@ def configure_ssh_config(fstore, options):
         changes['GlobalKnownHostsFile'] = paths.SSSD_PUBCONF_KNOWN_HOSTS
     if options.trust_sshfp:
         changes['VerifyHostKeyDNS'] = 'yes'
-        changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss'
 
     change_ssh_config(paths.SSH_CONFIG, changes, ['Host', 'Match'])
     logger.info('Configured %s', paths.SSH_CONFIG)