TPTHZ wrote

I found most of device still using SHA1 also. I have two d-link Layer2 managed switch, the same, I need use this command also.
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost

Yes, even several CISCO switches still use SHA1. Reason for switches using legacy ciphers is that a) embedded devices are - unlike laptops or desktops - most often not running bleeding-edge Linux versions, but a version proofed to be as stable as possible and b) most switches are not used in public WANs except those running at ISPs and public data exchanges. If you are an ISP or expose a switch to the Internet, you almost certainly use other, much more secure means of restricting access to the switch's admin interface, e.g. by using VLANs, port isolation and ACLs. If you are concerned about security of a switch's web UI (!) or CLI interface in a private LAN, you also should not only count on SSH ciphers, given the fact that they are strong only for a limited time until becoming weak.

It is not that easy to port Linux to an embedded device and keep it up-to-date. As for latest Linux versions, security fixes are published every week, sometimes even every day. This includes SSH/TLS fixes, too.

I prefer to run a stable firmware on switches instead of the latest brand-new funky version with features not being used on a particular embedded device. It's already keeping admins busy to update servers with fixes every week and new kernels every 3 months.