OpenSSH contract development / patch

Devin Nate devin.nate at
Fri May 5 02:43:26 AEST 2017

Thank you to all that have replied so far, I appreciate your time.

1. For anyone who may be interested, I have attached our current patch. If others feel it helpful, feel free to use. It is released under the terms of the OpenSSH project. The intention of this patch is:
a. This adds a permitgwport option for the authorized_keys file handling, allowing that file to control what ssh -R options a client may submit.
b. This makes sshd require a permitopen option for any ports to be allowed. i.e. if no permitopen appears, then no ssh -L ports will be forwarded.
c. This patch has been somewhat tested, but anyone that wants to use should review on their own.

2. Our thought is combining the AuthorizedKeysCommand with the key, and then gluing the port forward firewall rules our system builds. Our users are all AD so we have some extra items we want to do. Our problem isn’t lack of vision or understanding, it’s lack of time – hence me trying to find and pay for smart people and their time!


On 2017-05-03, 6:44 PM, "Stephen Harris" <lists at> wrote:

    On Thu, May 04, 2017 at 09:37:59AM +1000, Adam Eijdenberg wrote:
    > Hi Devin, have you looked at using openssh certificates to help manage
    > While the feature has been around for a while now (and is really
    > useful), there doesn't seem to be huge amount of documentation around
    > it. I found the following useful when getting a client of my running
    Yeah, when I wrote about it last year I didn't find many clients
    (just the openssh client) understood it:
    How many clients do work with CA signed keys?

More information about the openssh-unix-dev mailing list