After upgrading from VyOS 1.1.7 to 999.201609070235 (nightly build from the current/lithium branch) via 'add system image', the logs collect lots of messages about the missing ED25519 host key. That's likely because I chose to retain my old hosts keys from the 1.1.7 image, which I suppose didn't have such a key. Indeed, I don't have that key:
$ ls /etc/ssh moduli ssh_host_dsa_key ssh_host_ecdsa_key.pub ssh_host_rsa_key ssh_config ssh_host_dsa_key.pub ssh_host_key ssh_host_rsa_key.pub sshd_config ssh_host_ecdsa_key ssh_host_key.pub
And /etc/ssh/sshd_config does refer to it:
$ grep HostKey /etc/ssh/sshd_config # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # HostKey for protocol version 1 HostKey /etc/ssh/ssh_host_key
Perhaps the upgrade script should generate any missing host keys by issuing:
ssh-keygen -A
even when the user chose to copy over the old host keys. This might have side-effects, of course: clients that support the new host key types might see a new host key, which was what copying the old host keys was intended to avoid. But I had no warnings or other difficulty connecting from a client running OpenSSH_6.6.1p1 after creating the missing ED25519 key.