This should not be a problem. I talked to the Pluto guy who wrote it. It's not a backdoor, and neither Pluto nor anyone else will have the corresponding private key.
the key is auto-generated at install time for each installation and the purpose is to allow media directors to have ssh access to the main box so that they can do things like modify their boot sequence, access teh database, etc. It's not a common key, and nobody else has the private key, except the media directors. The key is unique for each install and generated on the fly when it install time in these scripts:
ssh-keygen -t dsa -C "Pluto auto-generated key" -f $Dir/$Key -P ""
And the corresponding key is put on the media directors in their boot images. This sounds correct and should make it safe. Please confirm that we're all in agreement that this is ok and not a cause for concern. I was in a bit of a panic mode since I ordered 1,000 replicated dvd's from a mastering house (linuxmce is now sending out dvd's), and obviously if they have any back doors or security holes I have to stop the order and get it fixed. So can you guys post replies confirming we're in consensus that this is not a problem?