Let's be extra paranoid and assume that the SSH server my client is connected to, was "enhanced" so that every SSH client that establishes an connection with it, will be tricked into thinking that it wants to create reverse port forwarding.
This would result in the situation when the passive attacker (owner of the SSH server) would gain access to the SSH client's internal network as soon as the vulnerable client connects to it.
Is this somehow taken care of in OpenSSH? Or is it impossible by SSH design in general?
If you are interested into thinking about SSH client being vulnerable to SSH server, you may find interesting to read these Q&A:
- What are the risks of SSHing to an untrusted host?
- Risks of ssh to an untrusted host? (dupliacate of the above)
- Is it safe to connect to random SSH servers? (also a duplicate of the above)