[javier_e06]

I looked at the list of take-aways and one big important take away was missing. Testing. If a SSL depends on generating millions of unique keys then there should be an existing test somewhere the ensures that SSL does this before the release into production. The test would have caught the initialization and send the code back for re-work, clarification.

[michaelt]

It is extremely difficult to tell a working and subtly broken RNG apart through testing. Imagine an RNG that repeatedly ran this code:

  date +%s.%N | sha256sum

The output will never recur no matter how many times you run the test, so long as it takes at least a nanosecond. It'll pass all statistical tests of randomness.

And it's completely insecure - just guess the time and you know the output.

[8organicbits]

True, but that wasn't the case here. If there were only "32,767 possible SSH keys" you wouldn't need to test very many before you'd get a collision. Such a test would have detected this issue and any similar issue that produces key in such a small set.