Apparently DH SHA1 key exchange algorithm is still in wide
use at least within Cisco products (there's a real world
case involving our user), and some still use DSA keys
which might be longer than "allowed" yet not trusted anymore.

See also:
http://www.openssh.com/legacy.html
http://bugzilla.altlinux.org/31716
http://altlinux.org/changes (Jan 2016; RU)