Permit configuring RSA signature types in certificates.

As distinct from the type of signature generated by the SSH server
itself from the host key, this lets you exclude (and by default does
exclude) the old "ssh-rsa" SHA-1 signature type from the signature of
the CA on the certificate.

ssh/kex2-client.c

@@ -912,6 +912,7 @@ void ssh2kex_coroutine(struct ssh2_transport_state *s, bool *aborted)
                         true, /* host certificate */
                         ptrlen_from_asciz(s->savedhost),
                         time(NULL),
+                        &hca_found->opts,
                         BinarySink_UPCAST(error));
                 }
                 if (cert_ok) {