On Tue, 8 Apr 2008, Johan Anderssen wrote:
> Now, my question is, if the remote end with ssh should be
> compromised, is theoretically any way to go over the open ssh
> connection to access the client side of the computer, by using a
> buffer overflow or bug in ssh to execute code or access the local
> network.

If you assume that there is a buffer overflow or any other exploitable
bug in your ssh client, then it can be used to attack you.

> Can sshd initiate connections the opposite way in such a
> configuration or is it only ssh that initiates all connections to
> the sshd endpoint?

If you forward from local port to remote then (if there are no bugs in
ssh) it is possible only to initiate connections from local to remote,
but packets are sent both ways.

> Since this tunnel can be open for quite some time, it could be a
> possible way back into the client system, or am i just too paranoid?

If an attacker controls remote system he can modify packets that are
sent back to your local host and thus may exploit bugs in your local
applications (e.g., web browser or mail client). Btw, it does not
really matter how long the channel stays open since automated attacks
can be executed in a fraction of a second.