> shouldn't the default be "no" for the AllowTcpForwarding? Why is an
> insecure option "yes" by default?
this comes up post-authentication
if someone is authenticated, they can do just about everything else also
frankly, I don't think you have got a clear picture of the problem, which
is that even if we disable this, vendors will simply renable it anyways
and nothing changes.