diff --git a/sshserver.c b/sshserver.c
index b2a2e24e..51bf2ff7 100644
--- a/sshserver.c
+++ b/sshserver.c
@@ -216,6 +216,19 @@ void ssh_conn_processed_data(Ssh *ssh)
      * around a peculiarity of the GUI event loop, I haven't yet. */
 }
 
+Conf *make_ssh_server_conf(void)
+{
+    Conf *conf = conf_new();
+    load_open_settings(NULL, conf);
+    /* In Uppity, we support even the legacy des-cbc cipher by
+     * default, so that it will be available if the user forces it by
+     * overriding the KEXINIT strings. If the user wants it _not_
+     * supported, of course, they can override KEXINIT in the other
+     * direction. */
+    conf_set_bool(conf, CONF_ssh2_des_cbc, true);
+    return conf;
+}
+
 static const PlugVtable ssh_server_plugvt = {
     server_socket_log,
     server_closing,
diff --git a/sshserver.h b/sshserver.h
index a78b3eca..9a7696af 100644
--- a/sshserver.h
+++ b/sshserver.h
@@ -119,3 +119,5 @@ int platform_make_x11_server(Plug *plug, const char *progname, int mindisp,
                              const char *screen_number_suffix,
                              ptrlen authproto, ptrlen authdata,
                              Socket **sockets, Conf *conf);
+
+Conf *make_ssh_server_conf(void);
diff --git a/unix/uxserver.c b/unix/uxserver.c
index 541c4ab2..524adef8 100644
--- a/unix/uxserver.c
+++ b/unix/uxserver.c
@@ -489,8 +489,7 @@ int main(int argc, char **argv)
     AuthPolicy ap;
     SshServerConfig ssc;
 
-    Conf *conf = conf_new();
-    load_open_settings(NULL, conf);
+    Conf *conf = make_ssh_server_conf();
 
     ap.kbdint_state = 0;
     ap.ssh1keys = NULL;