upstream: allow bare port numbers to appear in PermitListen directives,

e.g. PermitListen 2222 8080 is equivalent to: PermitListen *:2222 *:8080 Some bonus manpage improvements, mostly from markus@ "looks fine" markus@ OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
author: djm@openbsd.org <djm@openbsd.org> 2018-06-19 02:59:41 +0000
committer: Damien Miller <djm@mindrot.org> 2018-06-19 13:00:50 +1000
commit: 87ddd676da0f3abd08b778b12b53b91b670dc93c (patch)
tree: 57bf11cf56aeddffdafdc97b74d7bc632c317df7 /sshd.8
parent: 26f96ca10ad0ec5da9b05b99de1e1ccea15a11be (diff)
1 files changed, 15 insertions, 4 deletions
diff --git a/sshd.8 b/sshd.8
index 6127bb576..c05bbe65c 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.301 2018/06/07 11:26:14 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.302 2018/06/19 02:59:41 djm Exp $
-.Dd $Mdocdate: June 7 2018 $
+.Dd $Mdocdate: June 19 2018 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -554,11 +554,11 @@ Disables execution of
 .It Cm no-X11-forwarding
 Forbids X11 forwarding when this key is used for authentication.
 Any X11 forward requests by the client will return an error.
-.It Cm permitlisten="host:port"
+.It Cm permitlisten="[host:]port"
 Limit remote port forwarding with the
 .Xr ssh 1
 .Fl R
-option such that it may only listen on the specified host and port.
+option such that it may only listen on the specified host (optional) and port.
 IPv6 addresses can be specified by enclosing the address in square brackets.
 Multiple
 .Cm permitlisten
@@ -571,6 +571,15 @@ matches any port.
 Note that the setting of
 .Cm GatewayPorts
 may further restrict listen addresses.
+Note that
+.Xr ssh 1
+will send a hostname of
+.Dq localhost
+if a listen host was not specified when the forwarding was requested, and
+that his name is treated differently to the explicit localhost addresses
+.Dq 127.0.0.1
+and
+.Dq ::1 .
 .It Cm permitopen="host:port"
 Limit local port forwarding with the
 .Xr ssh 1
@@ -639,6 +648,8 @@ command="dump /home",no-pty,no-port-forwarding ssh-dss
 AAAAC3...51R== example.net
 permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
 AAAAB5...21S==
+permitlisten="localhost:8080",permitopen="localhost:22000" ssh-dss
+AAAAB5...21S==
 tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
 jane@example.net
 restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==
author	djm@openbsd.org <djm@openbsd.org>	2018-06-19 02:59:41 +0000
committer	Damien Miller <djm@mindrot.org>	2018-06-19 13:00:50 +1000
commit	87ddd676da0f3abd08b778b12b53b91b670dc93c (patch)
tree	57bf11cf56aeddffdafdc97b74d7bc632c317df7 /sshd.8
parent	26f96ca10ad0ec5da9b05b99de1e1ccea15a11be (diff)

diff --git a/sshd.8 b/sshd.8 index 6127bb576..c05bbe65c 100644 --- a/sshd.8 +++ b/sshd.8
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd.8,v 1.301 2018/06/07 11:26:14 jmc Exp $	36	.\" $OpenBSD: sshd.8,v 1.302 2018/06/19 02:59:41 djm Exp $
37	.Dd $Mdocdate: June 7 2018 $	37	.Dd $Mdocdate: June 19 2018 $
38	.Dt SSHD 8	38	.Dt SSHD 8
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -554,11 +554,11 @@ Disables execution of
554	.It Cm no-X11-forwarding	554	.It Cm no-X11-forwarding
555	Forbids X11 forwarding when this key is used for authentication.	555	Forbids X11 forwarding when this key is used for authentication.
556	Any X11 forward requests by the client will return an error.	556	Any X11 forward requests by the client will return an error.
557	.It Cm permitlisten="host:port"	557	.It Cm permitlisten="[host:]port"
558	Limit remote port forwarding with the	558	Limit remote port forwarding with the
559	.Xr ssh 1	559	.Xr ssh 1
560	.Fl R	560	.Fl R
561	option such that it may only listen on the specified host and port.	561	option such that it may only listen on the specified host (optional) and port.
562	IPv6 addresses can be specified by enclosing the address in square brackets.	562	IPv6 addresses can be specified by enclosing the address in square brackets.
563	Multiple	563	Multiple
564	.Cm permitlisten	564	.Cm permitlisten
@@ -571,6 +571,15 @@ matches any port.
571	Note that the setting of	571	Note that the setting of
572	.Cm GatewayPorts	572	.Cm GatewayPorts
573	may further restrict listen addresses.	573	may further restrict listen addresses.
		574	Note that
		575	.Xr ssh 1
		576	will send a hostname of
		577	.Dq localhost
		578	if a listen host was not specified when the forwarding was requested, and
		579	that his name is treated differently to the explicit localhost addresses
		580	.Dq 127.0.0.1
		581	and
		582	.Dq ::1 .
574	.It Cm permitopen="host:port"	583	.It Cm permitopen="host:port"
575	Limit local port forwarding with the	584	Limit local port forwarding with the
576	.Xr ssh 1	585	.Xr ssh 1
@@ -639,6 +648,8 @@ command="dump /home",no-pty,no-port-forwarding ssh-dss
639	AAAAC3...51R== example.net	648	AAAAC3...51R== example.net
640	permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss	649	permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
641	AAAAB5...21S==	650	AAAAB5...21S==
		651	permitlisten="localhost:8080",permitopen="localhost:22000" ssh-dss
		652	AAAAB5...21S==
642	tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==	653	tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
643	jane@example.net	654	jane@example.net
644	restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==	655	restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==