- markus@cvs.openbsd.org 2001/03/16 19:06:30

     [auth-options.c channels.c channels.h serverloop.c session.c]
     implement "permitopen" key option, restricts -L style forwarding to
     to specified host:port pairs. based on work by harlan@genua.de

1 files changed, 3 insertions, 8 deletions

diff --git a/session.c b/session.c
index 5e6926b56..9c4828ac7 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.60 2001/03/15 22:07:08 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.61 2001/03/16 19:06:30 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -228,13 +228,6 @@ do_authenticated(struct passwd * pw)
                 startup_pipe = -1;
         }
 
-        /*
-         * Inform the channel mechanism that we are the server side and that
-         * the client may request to connect to any port at all. (The user
-         * could do it anyway, and we wouldn\'t know what is permitted except
-         * by the client telling us, so we can equally well trust the client
-         * not to request anything bogus.)
-         */
         if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
                 channel_permit_all_opens();
 
@@ -2037,6 +2030,8 @@ do_authenticated2(Authctxt *authctxt)
                 close(startup_pipe);
                 startup_pipe = -1;
         }
+        if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
+                channel_permit_all_opens();
 #if defined(HAVE_LOGIN_CAP) && defined(HAVE_PW_CLASS_IN_PASSWD)
         if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL) {
                 error("unable to get login class");