#49952 tracked adding support for the SHA-2 variants of ssh-rsa. This issue is about exposing the settings necessary to turn off the original SHA-1 algorithm, both on the signer and on the verifier side, both for client and host authentication.

For example, this will require something akin to ServerConfig.PublicKeyAuthAlgorithms from #49269 and MultiAlgorithmSigner from #52132, as well as others.

Eventually, we'll want to make SHA-1 disabled by default, and these settings will be how applications can turn it back on.