diff --git a/NEWS b/NEWS
index 79d0631f91ebcc01619b74ef1704106b4073d462..aaae6f5b9b72176d7b97b4a01b7d54b3b88682b2 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,11 @@
 unreleased (207x-xx-xx)
 
+    [ssh] Remove the two options "RSAAuthentication" and
+    "RhostsRSAAuthentication" that have been deprecated and are only used
+    with SSH's protocol 1 (which we don't use anyway). See
+    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851573 and
+    https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/commit/?id=fb87db8aa47d3508be8e5bb1d21897fa1f2eca90
+
     [os] motd.erb needs to handle case when there is no swap.
 
     [several] change 'crit "stuff"' to 'crit("stuff")' to make Puppet 5
diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb
index 31713ce80684603ad441d4aca499dad5cce41db6..f4435e6f73ba59ff875fa272a4a9f79ad80c3334 100644
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -53,9 +53,7 @@ UsePrivilegeSeparation yes
 # Disable all forms of host-based and public key authentication by default,
 # since we use GSS-API (or passwords).
 IgnoreRhosts yes
-RSAAuthentication no
 PubkeyAuthentication <%= @pubkey ? 'yes' : 'no' %>
-RhostsRSAAuthentication no
 HostbasedAuthentication <%= @hostbased ? 'yes' : 'no' %>
 
 # Allow password authentication via PAM, but not empty passwords.