[red_admiral]

SSH by default isn't, but admins can set up their own list of allowed ciphers in their config file. Github, for example, has banned ssh_dss - I think they still support ECDSA, but they only mention Curve25519 and RSA (with caveats) on their SSH keys page.

[throw0101a]

> SSH by default isn't

Yes, and that's fine. But if SSH mandated a certain thing and disallowed even admins to change it it would be the equivalent problem.

It's Ubuntu preventing the use of anything but "SafeCurves" that's the problem.

If Ubuntu/Canonical want to use them—fine. (Maybe.†) But don't disable the functionality for admins.

† Some regulated industries need to use certain Approved Algorithms, which may or may not include your favourite ones. Further there may be all sorts of other (workflow) tooling that may not support your favourite ones either, and forcing your favourites on other people (especially taking away other options) is a jerk move.

[red_admiral]

So, I'm mostly with you here, but I'd say disallowing e.g. MD5 (horribly broken) or anything involving Dual_EC (horribly suspicious) by force would be reasonable. ECDSA/secp* curves, that's more controversial.

The TLS 1.2 -> 1.3 upgrade also disallowed a lot of previously used things, and this was generally considered to be a great improvement (though of course TLS endpoints can be backwards-compatible).