diff options
| author | Damien Miller <djm@mindrot.org> | 2006-07-24 14:04:00 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2006-07-24 14:04:00 +1000 |
| commit | 9b439df18a9d56683584811ce38dcf72acd4cb20 (patch) | |
| tree | dc7d64d4ae9ce7c47d52804671e8b5d2aedddae3 /sshd_config.5 | |
| parent | 98299261eb970688a7bad346491cffdf2a7f6072 (diff) | |
- dtucker@cvs.openbsd.org 2006/07/17 12:06:00
[channels.c channels.h servconf.c sshd_config.5]
Add PermitOpen directive to sshd_config which is equivalent to the
"permitopen" key option. Allows server admin to allow TCP port
forwarding only two specific host/port pairs. Useful when combined
with Match.
If permitopen is used in both sshd_config and a key option, both
must allow a given connection before it will be permitted.
Note that users can still use external forwarders such as netcat,
so to be those must be controlled too for the limits to be effective.
Feedback & ok djm@, man page corrections & ok jmc@.
Diffstat (limited to 'sshd_config.5')
| -rw-r--r-- | sshd_config.5 | 36 |
1 files changed, 33 insertions, 3 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 4db92814c..c9515234d 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -34,7 +34,7 @@ | |||
| 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 36 | .\" | 36 | .\" |
| 37 | .\" $OpenBSD: sshd_config.5,v 1.61 2006/07/12 13:39:55 jmc Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.62 2006/07/17 12:06:00 dtucker Exp $ |
| 38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
| 39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
| 40 | .Os | 40 | .Os |
| @@ -482,9 +482,10 @@ Only a subset of keywords may be used on the lines following a | |||
| 482 | .Cm Match | 482 | .Cm Match |
| 483 | keyword. | 483 | keyword. |
| 484 | Available keywords are | 484 | Available keywords are |
| 485 | .Cm AllowTcpForwarding | 485 | .Cm AllowTcpForwarding , |
| 486 | .Cm GatewayPorts , | ||
| 486 | and | 487 | and |
| 487 | .Cm GatewayPorts . | 488 | .Cm PermitOpen . |
| 488 | .It Cm MaxAuthTries | 489 | .It Cm MaxAuthTries |
| 489 | Specifies the maximum number of authentication attempts permitted per | 490 | Specifies the maximum number of authentication attempts permitted per |
| 490 | connection. | 491 | connection. |
| @@ -524,6 +525,35 @@ When password authentication is allowed, it specifies whether the | |||
| 524 | server allows login to accounts with empty password strings. | 525 | server allows login to accounts with empty password strings. |
| 525 | The default is | 526 | The default is |
| 526 | .Dq no . | 527 | .Dq no . |
| 528 | .It Cm PermitOpen | ||
| 529 | Specifies the destinations to which TCP port forwarding is permitted. | ||
| 530 | The forwarding specification must be one of the following forms: | ||
| 531 | .Pp | ||
| 532 | .Bl -item -offset indent -compact | ||
| 533 | .It | ||
| 534 | .Cm PermitOpen | ||
| 535 | .Sm off | ||
| 536 | .Ar host : port | ||
| 537 | .Sm on | ||
| 538 | .It | ||
| 539 | .Cm PermitOpen | ||
| 540 | .Sm off | ||
| 541 | .Ar IPv4_addr : port | ||
| 542 | .Sm on | ||
| 543 | .It | ||
| 544 | .Cm PermitOpen | ||
| 545 | .Sm off | ||
| 546 | .Ar \&[ IPv6_addr \&] : port | ||
| 547 | .Sm on | ||
| 548 | .El | ||
| 549 | .Pp | ||
| 550 | Multiple instances of | ||
| 551 | .Cm PermitOpen | ||
| 552 | are permitted. | ||
| 553 | An argument of | ||
| 554 | .Dq any | ||
| 555 | can be used to remove all restrictions and permit any forwarding requests. | ||
| 556 | By default all port forward requests are permitted. | ||
| 527 | .It Cm PermitRootLogin | 557 | .It Cm PermitRootLogin |
| 528 | Specifies whether root can log in using | 558 | Specifies whether root can log in using |
| 529 | .Xr ssh 1 . | 559 | .Xr ssh 1 . |