[michaelt]

It is extremely difficult to tell a working and subtly broken RNG apart through testing. Imagine an RNG that repeatedly ran this code:

  date +%s.%N | sha256sum

The output will never recur no matter how many times you run the test, so long as it takes at least a nanosecond. It'll pass all statistical tests of randomness.

And it's completely insecure - just guess the time and you know the output.

[8organicbits]

True, but that wasn't the case here. If there were only "32,767 possible SSH keys" you wouldn't need to test very many before you'd get a collision. Such a test would have detected this issue and any similar issue that produces key in such a small set.