The xz backdoor had nothing to do with SSH (protocol) or OpenSSH. A Debian version of OpenSSH became potentially vulnerable because of a package maintainer decision to patch OpenSSH.
One could make an argument that no one should be using packages from (Debian) package maintainers. The origin of the xz backdoor in relation to SSH was a Debian package maintainer patching OpenSSH in an effort to support systemd.
FWIW, the xz backdoor had zero potential effect on people using OpenSSH compiled from source without patches. (I do this b/c I prefer static binaries and dislike package managers.) The worst potential risk of the xz backdoor, IMO, was libarchive's use of xz project. After the backdoor was announced, I re-compiled libarchive without xz support:
One could make an argument that no one should be using packages from (Debian) package maintainers. The origin of the xz backdoor in relation to SSH was a Debian package maintainer patching OpenSSH in an effort to support systemd.
Recall Debian's OpenSSL patch:
https://freedom-to-tinker.com/2013/09/20/software-transparen...
FWIW, the xz backdoor had zero potential effect on people using OpenSSH compiled from source without patches. (I do this b/c I prefer static binaries and dislike package managers.) The worst potential risk of the xz backdoor, IMO, was libarchive's use of xz project. After the backdoor was announced, I re-compiled libarchive without xz support: