RSA versus DSA / Protocol 1 versus Protocol 2

[Bob Proulx]

I have been searching the archives and confused about some points that
I am hoping could be cleared up.

  RSA versus DSA

I seem to see a lot of messages saying this.  That DSA is slow.  DSA
was added only to avoid a patent which is now expired.  RSA is the
preferred authentification method.  DSA should be avoided.  Which all
sounds fine to me and I think I agree with that.  Assuming this
applies to both host keys and user keys it seems that you cannot
disable this for host keys when using Protocol 2.  Is that required
for compatibility or other reason?

  Protocol 1 versus Protocol 2

OpenSSH 3.x defaults to Protocol 2,1.  Fine.  But ssh-keygen and
ssh-add default to creating and using rsa1 keys, which means using
Protocol 1, but using DSA host keys.  I think.  Which makes actually
using Protocol 2 much more of an exercise for users.  Is there a
reason that ssh-keygen and ssh-add use rsa1 while the others use
Protocol 2 which would seem to be rsa?  Since they are trivial to
patch so that all default to 'rsa' keys and work nicely with Protocol
2 then I assume there must have been a reason that a full move to
'rsa' keys have not already happened.

I am setting up new people to use ssh and I want to get them going in
a direction of least thrash from now forward.  What are your
recommendations?  Answers or discussion for these questions would be
great additions to the FAQ or near there in the online docs.  At least
I could not find anything definitive and I spent a fair amount of time
searching documentation and reading the mail archives.

Thanks
Bob