allowing host wildcards in PermitOpen

Darren Tucker dtucker at
Tue Jul 19 16:29:59 AEST 2016

On Tue, Jul 19, 2016 at 1:05 PM, Peter Moody <pmoody at> wrote:
> I have a need to be able to permit ssh proxying to any host in prod,
> but only permit arbitrary ssh port forwards to a very small set of
> hosts. With the current PermitOpen config syntax, I can only specify a
> wildcard in the port field, but I would like to be able to add
> something like the following on my production jumphosts:
>   PermitOpen *:22 special-forwarding-gateway:*
> the attached patch implements this functionality in the most basic way
> possible.

Your patch got stripped by the list software (it strips any non-text
mime types for safety reasons).

There's already an open bug for this:
I'd suggest adding your patch there (and maybe comparing it to the
other implementation).

> It's possible people may want fancier filtering (CIDR based,
> or *, I could add that too if you'd prefer.
> Let me know what sort of CLA you need to have signed. I've gotten the
> go-ahead from our legal folks to submit this.

As long as any new code is licensed under BSD-compatible terms[1] it
should be fine.  For new code we prefer ISC[2] style but from your
description is sounds like there may not be a significant piece of new


Darren Tucker (dtucker at
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list