[blorgle]

OpenSSH in normal configurations will respond to all requests with an open socket regardless of whether that request is signed or not. Worst case scenario like OpenSSH Unprivileged Remote Code Execution, or Heartbleed style attack.

OpenSSH behind VPN technology like IPsec or OpenVPN (with TLS auth) means that only authorised (in possession of valid signing key) clients see the open socket.

OpenSSH does have "SSH certificates", but using VPN technology allows you to secure multiple internal services including those that don't support any encryption natively.