I've been relying on the command= syntax of .authorized_keys to restrict what's possible, but I'm not 100% confident in that being impervious to intrusion should someone get access to the on-camera SSH tunnel private keys.
Wireguard is somewhere on my mental todo list for possible replacement of these tunnels, but they do the job and SSH is going to be listening either way to admin the VPS.
Wireguard is somewhere on my mental todo list for possible replacement of these tunnels, but they do the job and SSH is going to be listening either way to admin the VPS.