Per the OpenSSH developers, "It is now possible[1] to perform chosen-prefix attacks against the SHA-1 hash algorithm for less than USD$50K. For this reason, we will be disabling the "ssh-rsa" public key signature algorithm that depends on SHA-1 by default in a near-future release."
Note that it is not necessary to disable RSA host key verification entirely, as "...RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms."
We don't use SSH CAs, at the moment but it's a good idea to note the following in case we ever do: "Certificates are at special risk to the aforementioned SHA1 collision vulnerability as an attacker has effectively unlimited time in which to craft a collision that yields them a valid certificate, far more than the relatively brief LoginGraceTime window that they have to forge a host key signature."
Creating this ticket to disable the rsa-ssh public key signature algorithm in our sshd_config.
you can test whether this is working with ssh client:
ssh -oHostKeyAlgorithms=ssh-rsa
If this algorithm is disabled, you should get this response:
Unable to negotiate with UNKNOWN port 65535: no matching host key type found. Their offer: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519