disabling of TCP forwarding ineffective?

I've been asked to disable TCP forwarding on a dozen or so servers,
mostly using openssh 4.3p2, in order to prevent users from bypassing
our firewall rules.  I'm somewhat concerned, however, by the following
snippet from the sshd_config manpage.

``Note that disabling TCP forwarding does not improve security unless
users are also denied shell access, as they can always install their
own forwarders.''

Unfortunately, denying shell access isn't really an option at present. 
I'm trying to explain the risk/limitations to my management, but they
seem to be considering this as some sort of magic
``vulnerable=nevermore'' setting.  In other words, they're not
interested unless I can absolutely prove it.

I've been trying to put together an example with ssh and netcat, using
several variations of:

        $ nc -l -p 2000 | ssh myhost nc localhost 2000

This has only been partially successful, however, yielding mere one-way
data flow.  I hate to ask, but would anyone be willing to provide a
working example?  It doesn't need to be particularly fancy, as I just
need to demonstrate this is possible.  My concern is to ensure that
management understands this isn't a cure-all, and to document the
possibility in writing as a CYA measure.



 
____________________________________________________________________________________
Want to start your own business? Learn how on Yahoo! Small Business 
(http://smallbusiness.yahoo.com)