As you can see, SSH security is not easy to implement. Before your organization implements SSH, all target platforms must be in synch on the risks and the mitigations each will implement. One weak platform will unravel all your security quickly. Your security staff must consider risks beyond technical settings; therefore, you must do the same.
Implementing SSH security requires at least a book, if not some hired help. As a security tool, it includes sophisticated VPN, authentication, and process execution and control abilities. This ain’t no mere FTP drop-in replacement.
Remember, using agent forwarding in untrusted environments is risky, and allowing an open interface to the Internet allows unmonitorable tunnels into and out of your company. It’s a big problem, requiring a response from experts. Remediation is not easy; at some point you must inspect the application layer—difficult with encrypted traffic. The best answers are a team approach to the rollout and possibly bringing in the right supplements to your rollout. If you get it right—wow, what a tool! Get it wrong, however, and you’ll have deep weaknesses on your platforms using SSH, wherever they are in your network.