[bigiain]

Often, but not always.

ssh keys instead of passwords are a good example of better security and more convenience (for the most common use cases).

It'd be nice if more "security improvements" came with ways to make them convenience improvements too...

[gerdesj]

Absolutely, but I prefer not to leave 22/tcp open to the world. If I do leave it open it is only from a restricted IP set, otherwise it is behind a VPN, probably OpenVPN.

[closeparen]

Is OpenVPN a safer attack surface compared to OpenSSH?

[romeisendcoming]

Sure, especially when you VPN into a sacrificial subnet and need MFA to continue elsewhere into locked down application domains. OTOH I would leave ssh listening on a non-descript high port with MFA (key and OTP) enabled. No use worrying too much about that.

[amdavidson]

Is OpenSSH safer when used in addition to OpenVPN?

Probably.

[aaronmdjones]

I doubt it.