- djm@cvs.openbsd.org 2012/12/02 20:46:11

     [auth-options.c channels.c servconf.c servconf.h serverloop.c session.c]
     [sshd_config.5]
     make AllowTcpForwarding accept "local" and "remote" in addition to its
     current "yes"/"no" to allow the server to specify whether just local or
     remote TCP forwarding is enabled. ok markus@

1 files changed, 6 insertions, 3 deletions

diff --git a/session.c b/session.c
index 65bf28776..643e7fc59 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.260 2012/03/15 03:10:27 guenther Exp $ */
+/* $OpenBSD: session.c,v 1.261 2012/12/02 20:46:11 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -273,7 +273,10 @@ do_authenticated(Authctxt *authctxt)
         setproctitle("%s", authctxt->pw->pw_name);
 
         /* setup the channel layer */
-        if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
+        if (no_port_forwarding_flag ||
+            (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
+                channel_disable_adm_local_opens();
+        else
                 channel_permit_all_opens();
 
         auth_debug_send();
@@ -383,7 +386,7 @@ do_authenticated1(Authctxt *authctxt)
                                 debug("Port forwarding not permitted for this authentication.");
                                 break;
                         }
-                        if (!options.allow_tcp_forwarding) {
+                        if (!(options.allow_tcp_forwarding & FORWARD_REMOTE)) {
                                 debug("Port forwarding not permitted.");
                                 break;
                         }