From 87ddd676da0f3abd08b778b12b53b91b670dc93c Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 19 Jun 2018 02:59:41 +0000 Subject: upstream: allow bare port numbers to appear in PermitListen directives, e.g. PermitListen 2222 8080 is equivalent to: PermitListen *:2222 *:8080 Some bonus manpage improvements, mostly from markus@ "looks fine" markus@ OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24 --- sshd.8 | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) (limited to 'sshd.8') diff --git a/sshd.8 b/sshd.8 index 6127bb576..c05bbe65c 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.301 2018/06/07 11:26:14 jmc Exp $ -.Dd $Mdocdate: June 7 2018 $ +.\" $OpenBSD: sshd.8,v 1.302 2018/06/19 02:59:41 djm Exp $ +.Dd $Mdocdate: June 19 2018 $ .Dt SSHD 8 .Os .Sh NAME @@ -554,11 +554,11 @@ Disables execution of .It Cm no-X11-forwarding Forbids X11 forwarding when this key is used for authentication. Any X11 forward requests by the client will return an error. -.It Cm permitlisten="host:port" +.It Cm permitlisten="[host:]port" Limit remote port forwarding with the .Xr ssh 1 .Fl R -option such that it may only listen on the specified host and port. +option such that it may only listen on the specified host (optional) and port. IPv6 addresses can be specified by enclosing the address in square brackets. Multiple .Cm permitlisten @@ -571,6 +571,15 @@ matches any port. Note that the setting of .Cm GatewayPorts may further restrict listen addresses. +Note that +.Xr ssh 1 +will send a hostname of +.Dq localhost +if a listen host was not specified when the forwarding was requested, and +that his name is treated differently to the explicit localhost addresses +.Dq 127.0.0.1 +and +.Dq ::1 . .It Cm permitopen="host:port" Limit local port forwarding with the .Xr ssh 1 @@ -639,6 +648,8 @@ command="dump /home",no-pty,no-port-forwarding ssh-dss AAAAC3...51R== example.net permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss AAAAB5...21S== +permitlisten="localhost:8080",permitopen="localhost:22000" ssh-dss +AAAAB5...21S== tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== jane@example.net restrict,command="uptime" ssh-rsa AAAA1C8...32Tv== -- cgit v1.2.3