I just discovered that my brand new TP-Link SG2218, running firmware released earlier this year, will only use SHA-1 signatures for SSH key-based authentication. SHA-1 was deprecated in 2011, because it is known to be insecure. Sometime in the last few years, Fedora completely disabled SHA-1 in its default system-wide crypto policy. It is literally impossible to SSH to one of these things (if one has any SSH keys set up) without reducing the system-wide crypto level.

I don't expect network equipment vendors to move fast, nor do I expect them to keep updating EOL equipment, but that is not what is happening here. This is a brand new managed switch, running its most recent firmware that was released in 2025. There is absolutely no excuse for this level of pure laziness.