consider blocking compromised SSH keys in bulk
another SSH key vulnerability came out: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html
those are private SSH keys that can easily be compromised if they have been generated by Putty with the p521 curve, but previously, we also had the SSH key generation bug in Debian. those are have been enumerated and should be compromised, and blocked on all our systems.
look at whether or not something is present in debian for this, consider https://github.com/rapid7/ssh-badkeys