I think the idea was to have a minimally-privileged program that can't do anything but provide a tunnel.
I'm not sure I understand you there - isn't ssh already an encrypted tunnel provider with authorization? What more do we need?
It is, but you may not want to let real users log in directly on an exposed interface. Even if the nx user managed to break out of the shell program that isn't supposed to do anything else, it would be as a user that didn't own anything useful.
You've lost me here. If I can log in as nx via ssh then I can log in as a normal user anyway on that exposed interface. I haven't gained anything except added complexity by adding the extra 'nx' user.
You are talking to the stock sshd here, not something that came with freenx. If you want port forwarding turned off, you can turn it off.
Of course, but the only reason we have this problem is because of the two-stage authentication - if we used ssh to authenticate as the user and not as nx than this wouldn't happen.
Where does the problem come from? It comes from reinventing the wheel...
It doesn't reinvent anything - it just uses an extra login.
It's reinventing authorization, for no fathomable reason - that's all I'm claiming.
Cheers, MaZe.