>> 	i guess the problem is not how many users are using s/key, but how many
>> 	of installed systems that has it turned on (most of the openssh
>> 	installation shipped with it turned on).
>Yes, I realize virtually all OpenSSH users were vulnerable.
>However, how could not publishing valid workaround help with that?

	i recommend you to read section 6 (release process) of
	http://openssh.com/txt/preauth.adv

itojun