Remove sha1 based kex algorithms

This patch hardened server configuration including removing sha1 based
kex algorithms from the manifest template that puppet uses to generate
the configuration file sshd_config.

It also removed hardcoded sshd_config and ssh_config from repo, replaced
them with patches to openssh that harden both server and client
configuration.
This is particularly to address the requirements that the system should
be hardened from the very first boot up (before it is configured by
manifest apply)

It also removed old obsolete patch files in openssh directory to avoid
confusions.

Change-Id: Ic34bebfd88f46cade3596d920a00311f9aa5980f
Signed-off-by: Andy Ning <andy.ning@windriver.com>

puppet-modules-wrs/puppet-sshd/src/sshd/templates/sshd_config.erb

@@ -123,9 +123,13 @@ Subsystem	sftp	 /usr/libexec/openssh/sftp-server
 #	AllowTcpForwarding no
 #	ForceCommand cvs server
 DenyUsers admin secadmin operator
-# Filtered cipher and MAC list, defaults can be obtained by ssh -Q cipher and ssh -Q mac
+# Filtered cipher, MAC and key exchange algorithm list, defaults can be
+# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex
+# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list
+# using "-" should be used for cipher, MAC and kex excluded suites.
 Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
 MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
 
 # This Match block prevents Password Authentication for root user
 Match User root