Should Dreamhost install and run the following and then notify
affected users of the results? Or am I just overreacting: even if they
have bad keys, because Dreamhost has good systems, it doesn't matter?
ssh-vulnkey checks a key against a blacklist of compromised keys.
-a Check keys of all users on the system. You will typically need
to run ssh-vulnkey as root to use this option. For each user,
ssh-vulnkey will check ~/.ssh/id_rsa, ~/.ssh/id_dsa,
~/.ssh/identity, ~/.ssh/authorized_keys and
~/.ssh/authorized_keys2. It will also check the system's host