@quad There's no real reason to switch to ed25519 if you've already generated 2048+ bit RSA keys, but ed25519 are good for new keys, as they're a lot shorter.

The issue seems to affect proprietary ssh clients that are poorly programmed and not the RSA scheme itself, so the solution turns out to be not running proprietary malware yet again.

I'm reminded of a past case where a bunch of proprietary TLS libraries all used the same weak primes (numbers that seem prime, but aren't) for key derivation (rather than randomly generating a strong prime as required by the spec), meaning the NSA and other parties could just do a bunch of brute-forcing against those weak primes and use the results to attack sessions using those weak primes, but I guess this one is fairly different.