[PATCH] global port forwarding restriction
Tony Finch
dot at dotat.at
Thu Aug 15 00:20:29 EST 2002
Tony Finch <dot at dotat.at> wrote:
>
>This patch makes the existing permitopen="host:port" authorized_keys file
>option available in sshd_config, enabling the administrator to make it
>a global restriction rather than a per-key restriction.
Sorry, I forgot the documentation.
Tony.
--
f.a.n.finch <dot at dotat.at> http://dotat.at/
FAIR ISLE FAEROES: VARIABLE 3 OR 4 BECOMING SOUTH OR SOUTHEAST 5 TO 7, PERHAPS
GALE 8 LATER. RAIN. MODERATE OR GOOD, OCCASIONALLY POOR.
--- sshd_config.5 26 Jul 2002 11:02:29 -0000 1.3
+++ sshd_config.5 14 Aug 2002 14:17:05 -0000
@@ -466,6 +466,31 @@
If this option is set to
.Dq no
root is not allowed to login.
+.It Cm PermitTcpConnect
+Restricts TCP forwarding from the client so that
+only certain connection destinations are permitted.
+In the absence of any
+.Cm PermitTcpConnect
+options, any outgoing connection is permitted
+(although per-key restrictions may be imposed by
+.Cm permitopen=""
+options in
+.Pa authorized_keys
+files).
+If
+.Cm PermitTcpConnect
+options are present then
+.Nm sshd
+will only allow connections to the
+.Ar host Ns : Ns Ar port
+pairs that are specified.
+Multiple permitted destinations may be specified using multiple
+.Cm PermitTcpConnect
+options.
+IPv6 addresses may be specified using the syntax
+.Ar host Ns / Ns Ar port
+for the argument instead of
+.Ar host Ns : Ns Ar port .
.It Cm PermitUserEnvironment
Specifies whether
.Pa ~/.ssh/environment
More information about the openssh-unix-dev
mailing list