[PATCH] global port forwarding restriction

Tony Finch dot at dotat.at
Thu Aug 15 00:20:29 EST 2002


Tony Finch <dot at dotat.at> wrote:
>
>This patch makes the existing permitopen="host:port" authorized_keys file
>option available in sshd_config, enabling the administrator to make it
>a global restriction rather than a per-key restriction.

Sorry, I forgot the documentation.

Tony.
-- 
f.a.n.finch <dot at dotat.at> http://dotat.at/
FAIR ISLE FAEROES: VARIABLE 3 OR 4 BECOMING SOUTH OR SOUTHEAST 5 TO 7, PERHAPS
GALE 8 LATER. RAIN. MODERATE OR GOOD, OCCASIONALLY POOR.



--- sshd_config.5	26 Jul 2002 11:02:29 -0000	1.3
+++ sshd_config.5	14 Aug 2002 14:17:05 -0000
@@ -466,6 +466,31 @@
 If this option is set to
 .Dq no
 root is not allowed to login.
+.It Cm PermitTcpConnect
+Restricts TCP forwarding from the client so that
+only certain connection destinations are permitted.
+In the absence of any
+.Cm PermitTcpConnect
+options, any outgoing connection is permitted
+(although per-key restrictions may be imposed by
+.Cm permitopen=""
+options in
+.Pa authorized_keys
+files).
+If
+.Cm PermitTcpConnect
+options are present then
+.Nm sshd
+will only allow connections to the
+.Ar host Ns : Ns Ar port
+pairs that are specified.
+Multiple permitted destinations may be specified using multiple
+.Cm PermitTcpConnect
+options.
+IPv6 addresses may be specified using the syntax
+.Ar host Ns / Ns Ar port
+for the argument instead of
+.Ar host Ns : Ns Ar port .
 .It Cm PermitUserEnvironment
 Specifies whether
 .Pa ~/.ssh/environment



More information about the openssh-unix-dev mailing list