the stream

OpenSSH uses MD5 with salt to encrypt the passphrase for RSA keys by default

Alexander Bochmann Saturday 04 of August, 2018
Details here: The default OpenSSH key encryption is worse than plaintext (cache)

@latacora wrote:
The punchline is that the AES key is just MD5(password || IV[:8]). [..] MD5 is very cheap to compute. The only thing this design has going for it is that the salt goes after the password, so you can’t just compute the intermediate state of MD5(IV[8:]) and try passwords from there. That’s faint praise, especially in a world where I can rent a machine that tries billions of MD5 calls per second.

Ssh keypairs for Ed25519 use a new format to encrypt the passphrase. Since 2013, it's been possible to create RSA keys with new-format passphrase encryption using ssh_keygen -o, but since that's not been the default, I don't assume anyone has ever used that (I haven't).

Might be worth replacing all RSA keypairs for pubkey authentication (and remove the corresponding public key from any authorized_keys files on all destination systems) - and all Ed25519 keys that use the same passphrase. Unless you're absolutely certain no one ever had access to the private key, in which case just upgrading the passphrase encryption using ssh-keygen -p -o -f <PRIVATEKEY> might be good enough.