TCP forwarding is allowed by default, it creates security problem for anonymous SSH access (for example with CVS).
vulners.com/securityvulns/securityvulns:doc:6731