upstream: man bits for PermitListen

OpenBSD-Commit-ID: 35b200cba4e46a16a4db6a80ef11838ab0fad67c
author: djm@openbsd.org <djm@openbsd.org> 2018-06-06 18:24:00 +0000
committer: Damien Miller <djm@mindrot.org> 2018-06-07 04:27:21 +1000
commit: 04df43208b5b460d7360e1598f876b92a32f5922 (patch)
tree: 6cf9b06fbc4637dedaf8240151470275fcaad728 /sshd_config.5
parent: 93c06ab6b77514e0447fe4f1d822afcbb2a9be08 (diff)
1 files changed, 41 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 1231f3db8..775caf717 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.270 2018/06/01 06:23:10 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.271 2018/06/06 18:24:00 djm Exp $
-.Dd $Mdocdate: June 1 2018 $
+.Dd $Mdocdate: June 6 2018 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1125,6 +1125,7 @@ Available keywords are
 .Cm MaxSessions ,
 .Cm PasswordAuthentication ,
 .Cm PermitEmptyPasswords ,
+.Cm PermitListen ,
 .Cm PermitOpen ,
 .Cm PermitRootLogin ,
 .Cm PermitTTY ,
@@ -1184,6 +1185,44 @@ When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.
 The default is
 .Cm no .
+.It Cm PermitListen
+Specifies the addresses/ports on which a remote TCP port forwarding may listen.
+The listen specification must be one of the following forms:
+.Pp
+.Bl -item -offset indent -compact
+.It
+.Cm PermitListen
+.Sm off
+.Ar host : port
+.Sm on
+.It
+.Cm PermitListen
+.Sm off
+.Ar IPv4_addr : port
+.Sm on
+.It
+.Cm PermitListen
+.Sm off
+.Ar \&[ IPv6_addr \&] : port
+.Sm on
+.El
+.Pp
+Multiple permissions may be specified by separating them with whitespace.
+An argument of
+.Cm any
+can be used to remove all restrictions and permit any listen requests.
+An argument of
+.Cm none
+can be used to prohibit all listen requests.
+The host name may contain wildcards as described in the PATTERNS section in
+.Xr ssh_config 5 .
+The wildcard
+.Sq *
+can also be used in place of a port number to allow all ports.
+By default all port forwarding listen requests are permitted.
+Note that
+.Cm GatewayPorts
+option may further restrict which addresses may be listened on.
 .It Cm PermitOpen
 Specifies the destinations to which TCP port forwarding is permitted.
 The forwarding specification must be one of the following forms:
author	djm@openbsd.org <djm@openbsd.org>	2018-06-06 18:24:00 +0000
committer	Damien Miller <djm@mindrot.org>	2018-06-07 04:27:21 +1000
commit	04df43208b5b460d7360e1598f876b92a32f5922 (patch)
tree	6cf9b06fbc4637dedaf8240151470275fcaad728 /sshd_config.5
parent	93c06ab6b77514e0447fe4f1d822afcbb2a9be08 (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 1231f3db8..775caf717 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.270 2018/06/01 06:23:10 jmc Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.271 2018/06/06 18:24:00 djm Exp $
37	.Dd $Mdocdate: June 1 2018 $	37	.Dd $Mdocdate: June 6 2018 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -1125,6 +1125,7 @@ Available keywords are
1125	.Cm MaxSessions ,	1125	.Cm MaxSessions ,
1126	.Cm PasswordAuthentication ,	1126	.Cm PasswordAuthentication ,
1127	.Cm PermitEmptyPasswords ,	1127	.Cm PermitEmptyPasswords ,
		1128	.Cm PermitListen ,
1128	.Cm PermitOpen ,	1129	.Cm PermitOpen ,
1129	.Cm PermitRootLogin ,	1130	.Cm PermitRootLogin ,
1130	.Cm PermitTTY ,	1131	.Cm PermitTTY ,
@@ -1184,6 +1185,44 @@ When password authentication is allowed, it specifies whether the
1184	server allows login to accounts with empty password strings.	1185	server allows login to accounts with empty password strings.
1185	The default is	1186	The default is
1186	.Cm no .	1187	.Cm no .
		1188	.It Cm PermitListen
		1189	Specifies the addresses/ports on which a remote TCP port forwarding may listen.
		1190	The listen specification must be one of the following forms:
		1191	.Pp
		1192	.Bl -item -offset indent -compact
		1193	.It
		1194	.Cm PermitListen
		1195	.Sm off
		1196	.Ar host : port
		1197	.Sm on
		1198	.It
		1199	.Cm PermitListen
		1200	.Sm off
		1201	.Ar IPv4_addr : port
		1202	.Sm on
		1203	.It
		1204	.Cm PermitListen
		1205	.Sm off
		1206	.Ar \&[ IPv6_addr \&] : port
		1207	.Sm on
		1208	.El
		1209	.Pp
		1210	Multiple permissions may be specified by separating them with whitespace.
		1211	An argument of
		1212	.Cm any
		1213	can be used to remove all restrictions and permit any listen requests.
		1214	An argument of
		1215	.Cm none
		1216	can be used to prohibit all listen requests.
		1217	The host name may contain wildcards as described in the PATTERNS section in
		1218	.Xr ssh_config 5 .
		1219	The wildcard
		1220	.Sq *
		1221	can also be used in place of a port number to allow all ports.
		1222	By default all port forwarding listen requests are permitted.
		1223	Note that
		1224	.Cm GatewayPorts
		1225	option may further restrict which addresses may be listened on.
1187	.It Cm PermitOpen	1226	.It Cm PermitOpen
1188	Specifies the destinations to which TCP port forwarding is permitted.	1227	Specifies the destinations to which TCP port forwarding is permitted.
1189	The forwarding specification must be one of the following forms:	1228	The forwarding specification must be one of the following forms: