1 files changed, 35 insertions, 7 deletions
diff --git a/sshd.8 b/sshd.8
index 378aeb9f5..4abc01d66 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.299 2018/03/14 06:56:20 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.304 2018/07/22 12:16:59 dtucker Exp $
-.Dd $Mdocdate: March 14 2018 $
+.Dd $Mdocdate: July 22 2018 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -277,7 +277,7 @@ locked, listed in
 .Cm DenyUsers
 or its group is listed in
 .Cm DenyGroups
-\&.  The definition of a locked account is system dependant. Some platforms
+\&.  The definition of a locked account is system dependent. Some platforms
 have their own account database (eg AIX) and some modify the passwd field (
 .Ql \&*LK\&*
 on Solaris and UnixWare,
@@ -554,11 +554,37 @@ Disables execution of
 .It Cm no-X11-forwarding
 Forbids X11 forwarding when this key is used for authentication.
 Any X11 forward requests by the client will return an error.
+.It Cm permitlisten="[host:]port"
+Limit remote port forwarding with the
+.Xr ssh 1
+.Fl R
+option such that it may only listen on the specified host (optional) and port.
+IPv6 addresses can be specified by enclosing the address in square brackets.
+Multiple
+.Cm permitlisten
+options may be applied separated by commas.
+Hostnames may include wildcards as described in the PATTERNS section in
+.Xr ssh_config 5 .
+A port specification of
+.Cm *
+matches any port.
+Note that the setting of
+.Cm GatewayPorts
+may further restrict listen addresses.
+Note that
+.Xr ssh 1
+will send a hostname of
+.Dq localhost
+if a listen host was not specified when the forwarding was requested, and
+that this name is treated differently to the explicit localhost addresses
+.Dq 127.0.0.1
+and
+.Dq ::1 .
 .It Cm permitopen="host:port"
-Limit local port forwarding with
+Limit local port forwarding with the
 .Xr ssh 1
 .Fl L
-such that it may only connect to the specified host and port.
+option such that it may only connect to the specified host and port.
 IPv6 addresses can be specified by enclosing the address in square brackets.
 Multiple
 .Cm permitopen
@@ -618,9 +644,11 @@ An example authorized_keys file:
 ssh-rsa AAAAB3Nza...LiPk== user@example.net
 from="*.sales.example.net,!pc.sales.example.net" ssh-rsa
 AAAAB2...19Q== john@example.net
-command="dump /home",no-pty,no-port-forwarding ssh-dss
+command="dump /home",no-pty,no-port-forwarding ssh-rsa
 AAAAC3...51R== example.net
-permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
+permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-rsa
+AAAAB5...21S==
+permitlisten="localhost:8080",permitopen="localhost:22000" ssh-rsa
 AAAAB5...21S==
 tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
 jane@example.net

diff --git a/sshd.8 b/sshd.8 index 378aeb9f5..4abc01d66 100644 --- a/sshd.8 +++ b/sshd.8
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd.8,v 1.299 2018/03/14 06:56:20 jmc Exp $	36	.\" $OpenBSD: sshd.8,v 1.304 2018/07/22 12:16:59 dtucker Exp $
37	.Dd $Mdocdate: March 14 2018 $	37	.Dd $Mdocdate: July 22 2018 $
38	.Dt SSHD 8	38	.Dt SSHD 8
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -277,7 +277,7 @@ locked, listed in
277	.Cm DenyUsers	277	.Cm DenyUsers
278	or its group is listed in	278	or its group is listed in
279	.Cm DenyGroups	279	.Cm DenyGroups
280	\&. The definition of a locked account is system dependant. Some platforms	280	\&. The definition of a locked account is system dependent. Some platforms
281	have their own account database (eg AIX) and some modify the passwd field (	281	have their own account database (eg AIX) and some modify the passwd field (
282	.Ql \&LK\&	282	.Ql \&LK\&
283	on Solaris and UnixWare,	283	on Solaris and UnixWare,
@@ -554,11 +554,37 @@ Disables execution of
554	.It Cm no-X11-forwarding	554	.It Cm no-X11-forwarding
555	Forbids X11 forwarding when this key is used for authentication.	555	Forbids X11 forwarding when this key is used for authentication.
556	Any X11 forward requests by the client will return an error.	556	Any X11 forward requests by the client will return an error.
		557	.It Cm permitlisten="[host:]port"
		558	Limit remote port forwarding with the
		559	.Xr ssh 1
		560	.Fl R
		561	option such that it may only listen on the specified host (optional) and port.
		562	IPv6 addresses can be specified by enclosing the address in square brackets.
		563	Multiple
		564	.Cm permitlisten
		565	options may be applied separated by commas.
		566	Hostnames may include wildcards as described in the PATTERNS section in
		567	.Xr ssh_config 5 .
		568	A port specification of
		569	.Cm *
		570	matches any port.
		571	Note that the setting of
		572	.Cm GatewayPorts
		573	may further restrict listen addresses.
		574	Note that
		575	.Xr ssh 1
		576	will send a hostname of
		577	.Dq localhost
		578	if a listen host was not specified when the forwarding was requested, and
		579	that this name is treated differently to the explicit localhost addresses
		580	.Dq 127.0.0.1
		581	and
		582	.Dq ::1 .
557	.It Cm permitopen="host:port"	583	.It Cm permitopen="host:port"
558	Limit local port forwarding with	584	Limit local port forwarding with the
559	.Xr ssh 1	585	.Xr ssh 1
560	.Fl L	586	.Fl L
561	such that it may only connect to the specified host and port.	587	option such that it may only connect to the specified host and port.
562	IPv6 addresses can be specified by enclosing the address in square brackets.	588	IPv6 addresses can be specified by enclosing the address in square brackets.
563	Multiple	589	Multiple
564	.Cm permitopen	590	.Cm permitopen
@@ -618,9 +644,11 @@ An example authorized_keys file:
618	ssh-rsa AAAAB3Nza...LiPk== user@example.net	644	ssh-rsa AAAAB3Nza...LiPk== user@example.net
619	from="*.sales.example.net,!pc.sales.example.net" ssh-rsa	645	from="*.sales.example.net,!pc.sales.example.net" ssh-rsa
620	AAAAB2...19Q== john@example.net	646	AAAAB2...19Q== john@example.net
621	command="dump /home",no-pty,no-port-forwarding ssh-dss	647	command="dump /home",no-pty,no-port-forwarding ssh-rsa
622	AAAAC3...51R== example.net	648	AAAAC3...51R== example.net
623	permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss	649	permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-rsa
		650	AAAAB5...21S==
		651	permitlisten="localhost:8080",permitopen="localhost:22000" ssh-rsa
624	AAAAB5...21S==	652	AAAAB5...21S==
625	tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==	653	tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
626	jane@example.net	654	jane@example.net