Yes the -R, ... And I am part of the network team LOL
Allowing inbound ssh w/ shell access means that your network perimeter/firewall is swiss cheese.
I'm assuming that disallowing inbound ssh is not an option. If that's the case, then you can't do anything to guarantee that folks can't do things you don't want them to do. You can set the directives:
AllowTcpForwarding no GatewayPorts no However, the sshd_config man page has this to say about AllowTcpForwarding: "Note that disabling TCP forwarding does not improve secu- rity unless users are also denied shell access, as they can always install their own forwarders." Hugh
Description: S/MIME Cryptographic Signature