Thus said Theo de Raadt on Wed, 30 Nov 2022 19:44:09 -0700: > It makes ssh safer for people who don't use the fancy features, > because the ssh client cannot perform a vast number of system calls if > it gets fooled.
Got it, makes sense now; and as you say my understanding was backwards. pledge() is being used to eliminate a bunch of risky system calls for those who are not using ~C and are still at risk even if they are NOT using ~C (especially where ~C users are in the minority as you point out). Also, as Stuart explained, there is at least an alternative mechanism for opening up dynamic tunnels which means that the need to enable ~C is even less compelling (as long as one is using ControlMaster which is arguably another one of those "power user" features). And while I've used ControlMaster for years, I was unaware of this alternative as I didn't realize that a shared session could cause the master to open up new tunnels that would remain in place even after the slave exits (nor indeed had I even thought to try it). In my testing it seems that they do in fact remain. Thanks, Andy