The documentation for Cryptsetup SSH unlocker states “To further limit the attack possibility, you should use monitoring and possibly disable SSH unlocker in the case of unexpected behavior.” Mandos has a built-in feature to deal with this, enabled by default.
(Again, disclosure: I am the co-author of Mandos.)
(Again, disclosure: I am the co-author of Mandos.)