Decouple AllowStreamLocalForwarding and AllowTcpForwarding

Baptiste Daroussin bapt at nours.eu
Thu Apr 9 19:51:39 AEST 2026 

On Tue 28 Oct 07:47, Baptiste Daroussin wrote:
> On Thu 16 Oct 13:43, Baptiste Daroussin wrote:
> > hello everyone,
> 
> Hello,
> 
> Anything I should do on my side to make this progress?
> 

Is the prefered way to send patches via github? if needed I can add unit tests.

Best regards,
Bapt
> > 
> > I am trying to fix an issue we have at $work with the fact that the
> > AllowStreamLocalFrowarding option is dependant on the AllowTcpForwarding option
> > (this issue have been reported multiple time by others over the past).
> > 
> > When looking at the code, I can see 2 approach:
> > 1/ the complete option would consist in removing FORWARD_LOCAL and
> > FORWARD_REMOTE and replace them with TCP_FORWARD_LOCAL and TCP_FORWARD_REMOTE
> > then introduce STREAMLOCAL_FORWARD_LOCAL and STREAMLOCAL_FORWARD_REMOTE and
> > duplicate all the code to deal with both case.
> > 
> > 2/ the lazy approach which is the one I took so far would be to apply the patch.
> > 
> > I am not very familiar with ssh code, but it seems to work and not break the
> > testsuite. Still I ma pretty sure this is too naive, what do you think?
> > 
> > Best regards,
> > Bapt
> > 
> > ---
> >  session.c | 6 ++++--
> >  1 file changed, 4 insertions(+), 2 deletions(-)
> > 
> > diff --git a/session.c b/session.c
> > index f265fdc3ed3..e35ff360ec9 100644
> > --- a/session.c
> > +++ b/session.c
> > @@ -323,11 +323,13 @@ do_authenticated(struct ssh *ssh, Authctxt *authctxt)
> >  		channel_disable_admin(ssh, FORWARD_LOCAL);
> >  		channel_disable_admin(ssh, FORWARD_REMOTE);
> >  	} else {
> > -		if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
> > +		if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0 &&
> > +		    (options.allow_streamlocal_forwarding & FORWARD_LOCAL) == 0)
> >  			channel_disable_admin(ssh, FORWARD_LOCAL);
> >  		else
> >  			channel_permit_all(ssh, FORWARD_LOCAL);
> > -		if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0)
> > +		if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 &&
> > +		    (options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0)
> >  			channel_disable_admin(ssh, FORWARD_REMOTE);
> >  		else
> >  			channel_permit_all(ssh, FORWARD_REMOTE);

More information about the openssh-unix-dev mailing list