One problem now on the rising in the world is trojaned ssh binaries that report every (hostname, username, password) combination to some malicious host, often via DNS. This way, one infected system leads to a lot of other infected systems. There has been at least one occasion when the putty downloadable from download.com has been a spyware-installing version. The risk of an infected ssh binary being used by tlclient is not high, since we ship and use our own binaries, but it could happen. We could protect ourselves (and more importantly, our customers) from this by checking the checksum of the ssh binary being used before using it. This would not only give some protection, but it would also give our customers another signal that ThinLinc cares about security.
The security of this is dubious, as if you can modify some parts of tlclient, you should be able to also modify this check of binaries. We also haven't seen any user demand for this.
