summaryrefslogtreecommitdiff
path: root/usr.bin/ssh/sshd_config.5
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@cvs.openbsd.org>2006-07-17 12:06:01 +0000
committerDarren Tucker <dtucker@cvs.openbsd.org>2006-07-17 12:06:01 +0000
commitc9f2cd05915314961b7e5d9c274ec0e8608eac36 (patch)
tree7620084451c561af7731e75b4bd67c43d20eec41 /usr.bin/ssh/sshd_config.5
parent48eb65f0a181ca249dc65a57813da6a8b9694839 (diff)
Add PermitOpen directive to sshd_config which is equivalent to the
"permitopen" key option. Allows server admin to allow TCP port forwarding only two specific host/port pairs. Useful when combined with Match. If permitopen is used in both sshd_config and a key option, both must allow a given connection before it will be permitted. Note that users can still use external forwarders such as netcat, so to be those must be controlled too for the limits to be effective. Feedback & ok djm@, man page corrections & ok jmc@.
Diffstat (limited to 'usr.bin/ssh/sshd_config.5')
-rw-r--r--usr.bin/ssh/sshd_config.536
1 files changed, 33 insertions, 3 deletions
diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5
index b0ef53c41c8..2c2623cf5c5 100644
--- a/usr.bin/ssh/sshd_config.5
+++ b/usr.bin/ssh/sshd_config.5
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.61 2006/07/12 13:39:55 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.62 2006/07/17 12:06:00 dtucker Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
@@ -482,9 +482,10 @@ Only a subset of keywords may be used on the lines following a
.Cm Match
keyword.
Available keywords are
-.Cm AllowTcpForwarding
+.Cm AllowTcpForwarding ,
+.Cm GatewayPorts ,
and
-.Cm GatewayPorts .
+.Cm PermitOpen .
.It Cm MaxAuthTries
Specifies the maximum number of authentication attempts permitted per
connection.
@@ -524,6 +525,35 @@ When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
The default is
.Dq no .
+.It Cm PermitOpen
+Specifies the destinations to which TCP port forwarding is permitted.
+The forwarding specification must be one of the following forms:
+.Pp
+.Bl -item -offset indent -compact
+.It
+.Cm PermitOpen
+.Sm off
+.Ar host : port
+.Sm on
+.It
+.Cm PermitOpen
+.Sm off
+.Ar IPv4_addr : port
+.Sm on
+.It
+.Cm PermitOpen
+.Sm off
+.Ar \&[ IPv6_addr \&] : port
+.Sm on
+.El
+.Pp
+Multiple instances of
+.Cm PermitOpen
+are permitted.
+An argument of
+.Dq any
+can be used to remove all restrictions and permit any forwarding requests.
+By default all port forward requests are permitted.
.It Cm PermitRootLogin
Specifies whether root can log in using
.Xr ssh 1 .