Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 9b439df18a9d56683584811ce38dcf72acd4cb20^! / . / sshd_config.5
commit9b439df18a9d56683584811ce38dcf72acd4cb20[log] [tgz]
authorDamien Miller <djm@mindrot.org>Mon Jul 24 14:04:00 2006 +1000
committerDamien Miller <djm@mindrot.org>Mon Jul 24 14:04:00 2006 +1000
treedc7d64d4ae9ce7c47d52804671e8b5d2aedddae3
parent98299261eb970688a7bad346491cffdf2a7f6072 [diff] [blame]
   - dtucker@cvs.openbsd.org 2006/07/17 12:06:00
     [channels.c channels.h servconf.c sshd_config.5]
     Add PermitOpen directive to sshd_config which is equivalent to the
     "permitopen" key option.  Allows server admin to allow TCP port
     forwarding only two specific host/port pairs.  Useful when combined
     with Match.
     If permitopen is used in both sshd_config and a key option, both
     must allow a given connection before it will be permitted.
     Note that users can still use external forwarders such as netcat,
     so to be those must be controlled too for the limits to be effective.
     Feedback & ok djm@, man page corrections & ok jmc@.

diff --git a/sshd_config.5 b/sshd_config.5
index 4db9281..c951523 100644
--- a/sshd_config.5
+++ b/sshd_config.5

@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.61 2006/07/12 13:39:55 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.62 2006/07/17 12:06:00 dtucker Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -482,9 +482,10 @@
 .Cm Match
 keyword.
 Available keywords are
-.Cm AllowTcpForwarding
+.Cm AllowTcpForwarding ,
+.Cm GatewayPorts ,
 and
-.Cm GatewayPorts .
+.Cm PermitOpen .
 .It Cm MaxAuthTries
 Specifies the maximum number of authentication attempts permitted per
 connection.
@@ -524,6 +525,35 @@
 server allows login to accounts with empty password strings.
 The default is
 .Dq no .
+.It Cm PermitOpen
+Specifies the destinations to which TCP port forwarding is permitted.
+The forwarding specification must be one of the following forms:
+.Pp
+.Bl -item -offset indent -compact
+.It
+.Cm PermitOpen
+.Sm off
+.Ar host : port
+.Sm on
+.It
+.Cm PermitOpen
+.Sm off
+.Ar IPv4_addr : port
+.Sm on
+.It
+.Cm PermitOpen
+.Sm off
+.Ar \&[ IPv6_addr \&] : port
+.Sm on
+.El
+.Pp
+Multiple instances of
+.Cm PermitOpen
+are permitted.
+An argument of
+.Dq any
+can be used to remove all restrictions and permit any forwarding requests.
+By default all port forward requests are permitted.
 .It Cm PermitRootLogin
 Specifies whether root can log in using
 .Xr ssh 1 .