Add support for RFC 8308 Extension Negotiation

[Rob-Hague]

We should add support for RFC8308 extension negotation, and primarily, the server-sig-algs extension.

Currently, we always try to authenticate RSA keys first with ssh-rsa (SHA-1) because otherwise certain servers are prone to misbehaving - see #1283 and related discussions. With the server-sig-algs extension implemented, we can know upfront which algorithms the server will accept and we can e.g. save a signature round-trip in the case that the server will not accept ssh-rsa.

There may be some more extensions worth supporting in https://github.com/openssh/openssh-portable/blob/master/PROTOCOL