The crypto-policy man page says that SHA-1 is disallowed in the FUTURE policy, which implies that it is allowed in the DEFAULT policy. And in fact it is explicitly mentioned in the bullet point about MACs.
But, for ssh server KexAlgorithms, the DEFAULT policy disallows sha1. In order to allow sha1, one would have to use LEGACY, or explicitly add those algorithms:
[aminoff@perlw2 /etc]$ diff /usr/share/crypto-policies/LEGACY/opensshserver.txt /usr/share/crypto-policies/DEFAULT/opensshserver.txt | grep ‘[<>] KexAlgorithms’
< KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
My question is, is this something that can be fixed in Rocky Linux, or should I report it as a bug upstream?