Correct. You are almost certainly not at risk. OpenSSL isn't vulnerable to this attack; your stack needs to be seriously archaic to have a vulnerable RSA implementation.
Some OpenSSL deployments use RSA plugins that do not contain the checkāit's not in generic OpenSSL or OpenSSH code, so every engine plugin needs to implement its own check.
Which plugins are you aware of that are used for RSA signatures and don't check signature validity? Just curious, from your comment it seemed like there might be specific ones.