>> It allows a much tighter pledge in the client, so less attack surface >> against a bad server. > >So it's to prevent a malicious SSH server from exploiting a client who >choses to use ~C to open up the ssh> prompt and create or destroy >tunnels?
No. It makes ssh safer for people who don't use the fancy features, because the ssh client cannot perform a vast number of system calls if it gets fooled. It makes ssh safer for people who don't use ~C So you have it completely backwards. ~C requires a ton of system calls. Let's make a guess than 99% of users don't use ~C. That is a fair estimate. Do 100% of users want the safest ssh client, or do they want one that can do ~C to work for you, in the 1%? I think 1% of users, the "power users" already manipulate the configuration file so this is very low effort for them. So the answer is really obvious. You want fancy features, you turn them on. That is the roadmap all security sensitive software eventually has to follow. Your voice counts for very little (the entitled tone doesn't help).