SHA-1 practical recommendations?

[James Ralston]

As others have mentioned, there is guidance about this in
draft-ietf-curdle-ssh-kex-sha2:

https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/

In summary, of these SHA-1 KexAlgorithms:

* diffie-hellman-group1-sha1
* diffie-hellman-group14-sha1
* diffie-hellman-group-exchange-sha1

and these SHA-1 GSSAPIKexAlgorithms:

* gss-gex-sha1-
* gss-group1-sha1-
* gss-group14-sha1-

…if it is necessary to enable one of them for backward compatibility
with clients/servers that support only SHA-1 algorithms, then this is
the only one that should be enabled:

* diffie-hellman-group14-sha1 (for KexAlgorithms)
* gss-group14-sha1- (for GSSAPIKexAlgorithms)

…because of the three, only group14-sha1 is using a 2048-bit MODP
group.  So if one must be enabled, it is the least-bad one to enable.

This reasoning was explained in a previous version of the kex draft:

https://tools.ietf.org/id/draft-ietf-curdle-ssh-kex-sha2-11.html

Unfortunately, the explanation in the current version of the draft is
arguably less clear.