I need a reality check, as it's unclear to me what are the goals of
this discussion.
I don't think there are any goals. I asked it just to understand if it would be possible to do what I was thinking (apparently, it is) and the discussion continued from there.
I think most of you are foccusing in servers running Debian, but when I asked the question I was thinking about personal computers.
For example, if there are any vulnerabilities on ssh, they won't be able to get into my computer anyway because I'm always behind a NAT (and I'm not even sure that I have ssh on this computer).
I understand that usually you are worried about directed attacks towards a machine, but in this case the NSA (and probably many other organizations) is interrested in infecting a lot of computers and mine data from there.