As pointed out in Remote execution Authentication failure an up-to-date foreman server with remote execution won’t have any issues and doesn’t need any modification of the crypto policies on your el9 clients.
Only old foreman servers with old remote execution plugins using the netssh module instead of the standard ssh clients want to use sha1…