Re: Old devices
"Just plug it instead to a small 2 port box with the other port instead going to the lan."
so that system that has just 1 port that can be administered via sha1 needs another box in-front of it to proxy sha2.
you could do that or you could put a fw in the logical path blocking all ssh to everything you want & a single bastion host in the subnet of the sha1 system that will only permit sha2 or whatever you want.
Then you use strong auth to get to the bastion host in the required subnet and then sha1 to the old system and any other systems in that subnet that can only use sha1.
you could put the bastion host elsewhere but it ups the risk of the traffic being intercepted from 0 for the solution with the box in front of the sha1 system to a little bit more for something on the same subnet intercepting that traffic (can't happen on a switched network unless a port mirror is configured) to again a bit more if the traffic is routed through a number of systems that could intercept or chnage on route (fw's load balancers, virtual systems, IDS/IPS) etc
the attack risk is much lower on your internal systems than it is if your traffic has to go across a public network even if you use a vpn or private peering in a colo.