Hello,
I hope you are well.
RouterOS SSH server supports port forwarding via /ip ssh forwarding-enabled=remote allowing to achieve SOCKS5 proxying from RouterOS via SSH to remote client using ssh -R on the remote. This requires to give remote client SSH access to the router even if the most limited (/user group add policy=ssh,![all others]). This opens router to SSH privileges escalation vulnerabilities (apart from not exactly documented behaviour what is available to the client with policy=ssh,![all others]).
Inverting the access pattern (router being the SSH client using ssh -D to connect to the remote SSH server) would remove this proness to vulnerability.
However, as far as I can tell from previous discussions, current manual, and ROS command line, RouterOS SSH client does not support an analogue of ssh -D (SOCKS5 proxy to remote). Is there a reason for this? Or there is a way to make RouterOS SSH client to do ssh -D?