Attachment #3054 for bug #2038





/* List of all permitted host/port pairs to connect by the user. */
static ForwardPermission *permitted_opens = NULL;
static ForwardPermission *permitted_remote_opens = NULL;

/* List of all permitted host/port pairs to connect by the admin. */
static ForwardPermission *permitted_adm_opens = NULL;
static ForwardPermission *permitted_adm_remote_opens = NULL;

/* Number of permitted host/port pairs in the array permitted by the user. */
static int num_permitted_opens = 0;
static int num_permitted_remote_opens = 0;

/* Number of permitted host/port pair in the array permitted by the admin. */
static int num_adm_permitted_opens = 0;
static int num_adm_permitted_remote_opens = 0;

/* special-case port number meaning allow any port */
#define FWD_PERMIT_ANY_PORT	0

 * anything after logging in anyway.
 */
static int all_opens_permitted = 0;
static int all_remote_opens_permitted = 0;


/* -- X11 forwarding */

	if (num_permitted_opens == 0)
		all_opens_permitted = 1;
}
void
channel_permit_all_remote_opens(void)
{
	if (num_permitted_remote_opens == 0)
		all_remote_opens_permitted = 1;
}


void
channel_add_permitted_opens(char *host, int port)

	all_opens_permitted = 0;
}

void
channel_add_permitted_remote_opens(int port)
{
	debug("allow remote port forwarding %d", port);

	permitted_remote_opens = xreallocarray(permitted_remote_opens,
	    num_permitted_remote_opens + 1, sizeof(*permitted_remote_opens));
	permitted_remote_opens[num_permitted_remote_opens].listen_port = port;
	num_permitted_remote_opens++;

	all_remote_opens_permitted = 0;
}

/*
 * Update the listen port for a dynamic remote forward, after
 * the actual 'newport' has been allocated. If 'newport' < 0 is

	return ++num_adm_permitted_opens;
}

int
channel_add_adm_permitted_remote_opens(int port)
{
	debug("config allows remote port forwarding,  port %d", port);

	permitted_adm_remote_opens = xreallocarray(permitted_adm_remote_opens,
	    num_adm_permitted_remote_opens + 1, sizeof(*permitted_adm_remote_opens));
	permitted_adm_remote_opens[num_adm_permitted_remote_opens].listen_port = port;
	return ++num_adm_permitted_remote_opens;
}


void
channel_disable_adm_local_opens(void)
{

}

void
channel_disable_adm_remote_opens(void)
{
	channel_clear_adm_permitted_remote_opens();
	permitted_adm_remote_opens = xmalloc(sizeof(*permitted_adm_remote_opens));
	permitted_adm_remote_opens[num_adm_permitted_remote_opens].host_to_connect = NULL;
	num_adm_permitted_remote_opens = 1;
}

void
channel_clear_permitted_opens(void)
{
	int i;

}

void
channel_clear_permitted_remote_opens(void)
{

	free(permitted_remote_opens);
	permitted_remote_opens = NULL;
	num_permitted_remote_opens = 0;
}


void
channel_clear_adm_permitted_opens(void)
{
	int i;

}

void
channel_clear_adm_permitted_remote_opens(void)
{
	free(permitted_adm_remote_opens);
	permitted_adm_remote_opens = NULL;
	num_adm_permitted_remote_opens = 0;
}


void
channel_print_adm_permitted_opens(void)
{
	int i;

	return connect_to(path, PORT_STREAMLOCAL, ctype, rname);
}

static int
remote_port_match(u_short allowedport, u_short requestedport)
{
        if (allowedport == FWD_PERMIT_ANY_PORT ||
            allowedport == requestedport)
                return 1;
        return 0;
}

/* Check if remote port is permitted and connect. */
int
channel_connect_remote_to(u_short port)
{
	int i, permit, permit_adm = 1;
	int allowed_port = 0;

	permit = all_remote_opens_permitted;
	if (!permit) {
		for (i = 0; i < num_permitted_remote_opens; i++) {
			allowed_port = permitted_remote_opens[i].listen_port;
			debug("i=%d check remote permitted vs requested "
					"%u vs %u", i, allowed_port, port);
			if ( remote_port_match(allowed_port, port)) {
				debug2("i=%d found match remote permitted vs "
						"requested %u==%u", i, allowed_port, port);
				permit = 1;
				break;
			}
		}
	}
	if (num_adm_permitted_remote_opens > 0) {
		permit_adm = 0;
		for (i = 0; i < num_adm_permitted_remote_opens; i++)
			allowed_port = permitted_adm_remote_opens[i].listen_port;
			if (remote_port_match(allowed_port, port) ) {
				/*  && strcmp(permitted_adm_remote_opens[i].host_to_connect, host) == 0) */
				debug2("i=%d found match admin remote permitted vs "
						"requested %u==%u", i, allowed_port, port);
				permit_adm = 1;
			}
	}

	if (!permit || !permit_adm) {
		logit("Received request to forward remote port %d, "
		      "but the request was denied. return %d", port, permit);
		return 0;
	}
	return ( permit | permit_adm);
}



void
channel_send_window_changes(void)
{

	packet_send();
	packet_write_wait();
}


Lines 268-280 struct Forward; Link Here

(-)a/channels.h (-1 / +8 lines)
268	struct ForwardOptions;	268	struct ForwardOptions;
269	void channel_set_af(int af);	269	void channel_set_af(int af);
270	void channel_permit_all_opens(void);	270	void channel_permit_all_opens(void);
271	void channel_add_permitted_opens(char *, int);	271	void channel_permit_all_remote_opens(void);
		272	void channel_add_permitted_opens(char *, int);
		273	void channel_add_permitted_remote_opens(int);
272	int channel_add_adm_permitted_opens(char *, int);	274	int channel_add_adm_permitted_opens(char *, int);
		275	int channel_add_adm_permitted_remote_opens(int);
273	void channel_disable_adm_local_opens(void);	276	void channel_disable_adm_local_opens(void);
		277	void channel_disable_adm_remote_opens(void);
274	void channel_update_permitted_opens(int, int);	278	void channel_update_permitted_opens(int, int);
275	void channel_clear_permitted_opens(void);	279	void channel_clear_permitted_opens(void);
276	void channel_clear_adm_permitted_opens(void);	280	void channel_clear_adm_permitted_opens(void);
		281	void channel_clear_permitted_remote_opens(void);
		282	void channel_clear_adm_permitted_remote_opens(void);
277	void channel_print_adm_permitted_opens(void);	283	void channel_print_adm_permitted_opens(void);
		284	int channel_connect_remote_to(u_short);
278	Channel channel_connect_to_port(const char , u_short, char , char , int *,	285	Channel channel_connect_to_port(const char , u_short, char , char , int *,
279	const char **);	286	const char **);
280	Channel channel_connect_to_path(const char , char , char );	287	Channel channel_connect_to_path(const char , char , char );




	options->num_accept_env = 0;
	options->permit_tun = -1;
	options->num_permitted_opens = -1;
	options->num_permitted_remote_opens = -1;
	options->adm_forced_command = NULL;
	options->chroot_directory = NULL;
	options->authorized_keys_command = NULL;

	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
	sAcceptEnv, sPermitTunnel,
	sMatch, sPermitOpen, sPermitRemoteOpen, sForceCommand, sChrootDirectory,
	sUsePrivilegeSeparation, sAllowAgentForwarding,
	sHostCertificate,
	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,

	{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
	{ "match", sMatch, SSHCFG_ALL },
	{ "permitopen", sPermitOpen, SSHCFG_ALL },
	{ "permitremoteopen", sPermitRemoteOpen, SSHCFG_ALL },
	{ "forcecommand", sForceCommand, SSHCFG_ALL },
	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },

				    channel_add_adm_permitted_opens(p, port);
		}
		break;
	case sPermitRemoteOpen:
		arg = strdelim(&cp);
		if (!arg || *arg == '\0')
			fatal("%s line %d: missing PermitRemoteOpen "
				" specification", filename, linenum);
		n = options->num_permitted_remote_opens; /* modified later */
		if (strcmp(arg, "any") == 0) {
			if (*activep && n == -1) {
				channel_clear_adm_permitted_remote_opens();
				options->num_permitted_remote_opens = 0;
			}
			break;
		}
		if (strcmp(arg, "none") == 0) {
			if (*activep && n == -1) {
				options->num_permitted_remote_opens = 1;
				channel_disable_adm_remote_opens();
			}
			break;
		}
		if (*activep && n == -1)
			channel_clear_adm_permitted_remote_opens();
		for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
			if (arg == NULL || ((port = permitopen_port(arg)) < 0))
				fatal("%s line %d: bad port number in "
				      "PermitRemoteOpen", filename, linenum);
			if (*activep && n == -1)
				options->num_permitted_remote_opens =
					channel_add_adm_permitted_remote_opens(port);
		}
		break;

	case sForceCommand:
		if (cp == NULL || *cp == '\0')

Lines 170-175 typedef struct { Link Here

(-)a/servconf.h (+1 lines)
170	int permit_tun;	170	int permit_tun;
171		171
172	int num_permitted_opens;	172	int num_permitted_opens;
		173	int num_permitted_remote_opens;
173		174
174	char *chroot_directory;	175	char *chroot_directory;
175	char *revoked_keys_file;	176	char *revoked_keys_file;




			success = 0;
			packet_send_debug("Server has disabled port forwarding.");
		} else {
			debug2("check permitted remote opens");
			if (!channel_connect_remote_to(fwd.listen_port)) {
				success = 0;
				packet_send_debug("Server denied remote port forward request.");
			}
			else {
				/* Start listening on the port */
				success = channel_setup_remote_fwd_listener(&fwd,
						&allocated_listen_port,
						&options.fwd_opts);
			}
		}
		free(fwd.listen_host);
		if ((resp = sshbuf_new()) == NULL)

Lines 258-267 do_authenticated(Authctxt *authctxt) Link Here

(-)a/session.c (-2 / +6 lines)
258	/* setup the channel layer */	258	/* setup the channel layer */
259	/* XXX - streamlocal? */	259	/* XXX - streamlocal? */
260	if (no_port_forwarding_flag \|\| options.disable_forwarding \|\|	260	if (no_port_forwarding_flag \|\| options.disable_forwarding \|\|
261	(options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)	261	(options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) {
262	channel_disable_adm_local_opens();	262	channel_disable_adm_local_opens();
263	else	263	channel_disable_adm_remote_opens();
		264	}
		265	else {
264	channel_permit_all_opens();	266	channel_permit_all_opens();
		267	channel_permit_all_remote_opens();
		268	}
265		269
266	auth_debug_send();	270	auth_debug_send();
267		271




A port specification of
.Cm *
matches any port.
.It Cm permitremoteopen="port"
Limit remote
.Li ``ssh -R''
port forwarding such that it may only forward the specified port to the client.
Multiple
.Cm permitremoteopen
options may be applied separated by commas.
Specified port must be a single port.
A port specification of
.Cm *
matches any port.
.It Cm port-forwarding
Enable port forwarding previously disabled by the
.Cm restrict




.Sq *
can be used for host or port to allow all hosts or ports, respectively.
By default all port forwarding requests are permitted.
.It Cm PermitRemoteOpen
Specifies the TCP ports which may be opened by clients with the
RemoteForward option.
Multiple forwards may be specified by separating them with whitespace.
An argument of
.Dq any
can be used to remove all restrictions and permit any remote
forwarding requests.
An argument of
.Dq none
can be used to prohibit all forwarding requests.
By default all port forwarding requests are permitted.
.It Cm PermitRootLogin
Specifies whether root can log in using
.Xr ssh 1 .
- 

Return to bug 2038

Lines 126-140 typedef struct { Link Here

(-)a/channels.c (+118 lines)
126		126
127	/* List of all permitted host/port pairs to connect by the user. */	127	/* List of all permitted host/port pairs to connect by the user. */
128	static ForwardPermission *permitted_opens = NULL;	128	static ForwardPermission *permitted_opens = NULL;
		129	static ForwardPermission *permitted_remote_opens = NULL;
129		130
130	/* List of all permitted host/port pairs to connect by the admin. */	131	/* List of all permitted host/port pairs to connect by the admin. */
131	static ForwardPermission *permitted_adm_opens = NULL;	132	static ForwardPermission *permitted_adm_opens = NULL;
		133	static ForwardPermission *permitted_adm_remote_opens = NULL;
132		134
133	/* Number of permitted host/port pairs in the array permitted by the user. */	135	/* Number of permitted host/port pairs in the array permitted by the user. */
134	static int num_permitted_opens = 0;	136	static int num_permitted_opens = 0;
		137	static int num_permitted_remote_opens = 0;
135		138
136	/* Number of permitted host/port pair in the array permitted by the admin. */	139	/* Number of permitted host/port pair in the array permitted by the admin. */
137	static int num_adm_permitted_opens = 0;	140	static int num_adm_permitted_opens = 0;
		141	static int num_adm_permitted_remote_opens = 0;
138		142
139	/* special-case port number meaning allow any port */	143	/* special-case port number meaning allow any port */
140	#define FWD_PERMIT_ANY_PORT 0	144	#define FWD_PERMIT_ANY_PORT 0
Lines 148-153 static int num_adm_permitted_opens = 0; Link Here
148	* anything after logging in anyway.	152	* anything after logging in anyway.
149	*/	153	*/
150	static int all_opens_permitted = 0;	154	static int all_opens_permitted = 0;
		155	static int all_remote_opens_permitted = 0;
151		156
152		157
153	/* -- X11 forwarding */	158	/* -- X11 forwarding */
Lines 3816-3821 channel_permit_all_opens(void) Link Here
3816	if (num_permitted_opens == 0)	3821	if (num_permitted_opens == 0)
3817	all_opens_permitted = 1;	3822	all_opens_permitted = 1;
3818	}	3823	}
		3824	void
		3825	channel_permit_all_remote_opens(void)
		3826	{
		3827	if (num_permitted_remote_opens == 0)
		3828	all_remote_opens_permitted = 1;
		3829	}
		3830
3819		3831
3820	void	3832	void
3821	channel_add_permitted_opens(char *host, int port)	3833	channel_add_permitted_opens(char *host, int port)
Lines 3835-3840 channel_add_permitted_opens(char *host, int port) Link Here
3835	all_opens_permitted = 0;	3847	all_opens_permitted = 0;
3836	}	3848	}
3837		3849
		3850	void
		3851	channel_add_permitted_remote_opens(int port)
		3852	{
		3853	debug("allow remote port forwarding %d", port);
		3854
		3855	permitted_remote_opens = xreallocarray(permitted_remote_opens,
		3856	num_permitted_remote_opens + 1, sizeof(*permitted_remote_opens));
		3857	permitted_remote_opens[num_permitted_remote_opens].listen_port = port;
		3858	num_permitted_remote_opens++;
		3859
		3860	all_remote_opens_permitted = 0;
		3861	}
		3862
3838	/*	3863	/*
3839	* Update the listen port for a dynamic remote forward, after	3864	* Update the listen port for a dynamic remote forward, after
3840	* the actual 'newport' has been allocated. If 'newport' < 0 is	3865	* the actual 'newport' has been allocated. If 'newport' < 0 is
Lines 3884-3889 channel_add_adm_permitted_opens(char *host, int port) Link Here
3884	return ++num_adm_permitted_opens;	3909	return ++num_adm_permitted_opens;
3885	}	3910	}
3886		3911
		3912	int
		3913	channel_add_adm_permitted_remote_opens(int port)
		3914	{
		3915	debug("config allows remote port forwarding, port %d", port);
		3916
		3917	permitted_adm_remote_opens = xreallocarray(permitted_adm_remote_opens,
		3918	num_adm_permitted_remote_opens + 1, sizeof(*permitted_adm_remote_opens));
		3919	permitted_adm_remote_opens[num_adm_permitted_remote_opens].listen_port = port;
		3920	return ++num_adm_permitted_remote_opens;
		3921	}
		3922
		3923
3887	void	3924	void
3888	channel_disable_adm_local_opens(void)	3925	channel_disable_adm_local_opens(void)
3889	{	3926	{
Lines 3894-3899 channel_disable_adm_local_opens(void) Link Here
3894	}	3931	}
3895		3932
3896	void	3933	void
		3934	channel_disable_adm_remote_opens(void)
		3935	{
		3936	channel_clear_adm_permitted_remote_opens();
		3937	permitted_adm_remote_opens = xmalloc(sizeof(*permitted_adm_remote_opens));
		3938	permitted_adm_remote_opens[num_adm_permitted_remote_opens].host_to_connect = NULL;
		3939	num_adm_permitted_remote_opens = 1;
		3940	}
		3941
		3942	void
3897	channel_clear_permitted_opens(void)	3943	channel_clear_permitted_opens(void)
3898	{	3944	{
3899	int i;	3945	int i;
Lines 3909-3914 channel_clear_permitted_opens(void) Link Here
3909	}	3955	}
3910		3956
3911	void	3957	void
		3958	channel_clear_permitted_remote_opens(void)
		3959	{
		3960
		3961	free(permitted_remote_opens);
		3962	permitted_remote_opens = NULL;
		3963	num_permitted_remote_opens = 0;
		3964	}
		3965
		3966
		3967	void
3912	channel_clear_adm_permitted_opens(void)	3968	channel_clear_adm_permitted_opens(void)
3913	{	3969	{
3914	int i;	3970	int i;
Lines 3924-3929 channel_clear_adm_permitted_opens(void) Link Here
3924	}	3980	}
3925		3981
3926	void	3982	void
		3983	channel_clear_adm_permitted_remote_opens(void)
		3984	{
		3985	free(permitted_adm_remote_opens);
		3986	permitted_adm_remote_opens = NULL;
		3987	num_adm_permitted_remote_opens = 0;
		3988	}
		3989
		3990
		3991	void
3927	channel_print_adm_permitted_opens(void)	3992	channel_print_adm_permitted_opens(void)
3928	{	3993	{
3929	int i;	3994	int i;
Lines 4217-4222 channel_connect_to_path(const char path, char ctype, char *rname) Link Here
4217	return connect_to(path, PORT_STREAMLOCAL, ctype, rname);	4282	return connect_to(path, PORT_STREAMLOCAL, ctype, rname);
4218	}	4283	}
4219		4284
		4285	static int
		4286	remote_port_match(u_short allowedport, u_short requestedport)
		4287	{
		4288	if (allowedport == FWD_PERMIT_ANY_PORT \|\|
		4289	allowedport == requestedport)
		4290	return 1;
		4291	return 0;
		4292	}
		4293
		4294	/* Check if remote port is permitted and connect. */
		4295	int
		4296	channel_connect_remote_to(u_short port)
		4297	{
		4298	int i, permit, permit_adm = 1;
		4299	int allowed_port = 0;
		4300
		4301	permit = all_remote_opens_permitted;
		4302	if (!permit) {
		4303	for (i = 0; i < num_permitted_remote_opens; i++) {
		4304	allowed_port = permitted_remote_opens[i].listen_port;
		4305	debug("i=%d check remote permitted vs requested "
		4306	"%u vs %u", i, allowed_port, port);
		4307	if ( remote_port_match(allowed_port, port)) {
		4308	debug2("i=%d found match remote permitted vs "
		4309	"requested %u==%u", i, allowed_port, port);
		4310	permit = 1;
		4311	break;
		4312	}
		4313	}
		4314	}
		4315	if (num_adm_permitted_remote_opens > 0) {
		4316	permit_adm = 0;
		4317	for (i = 0; i < num_adm_permitted_remote_opens; i++)
		4318	allowed_port = permitted_adm_remote_opens[i].listen_port;
		4319	if (remote_port_match(allowed_port, port) ) {
		4320	/* && strcmp(permitted_adm_remote_opens[i].host_to_connect, host) == 0) */
		4321	debug2("i=%d found match admin remote permitted vs "
		4322	"requested %u==%u", i, allowed_port, port);
		4323	permit_adm = 1;
		4324	}
		4325	}
		4326
		4327	if (!permit \|\| !permit_adm) {
		4328	logit("Received request to forward remote port %d, "
		4329	"but the request was denied. return %d", port, permit);
		4330	return 0;
		4331	}
		4332	return ( permit \| permit_adm);
		4333	}
		4334
		4335
		4336
4220	void	4337	void
4221	channel_send_window_changes(void)	4338	channel_send_window_changes(void)
4222	{	4339	{
Lines 4670-4672 auth_request_forwarding(void) Link Here
4670	packet_send();	4787	packet_send();
4671	packet_write_wait();	4788	packet_write_wait();
4672	}	4789	}
		4790

Lines 150-155 initialize_server_options(ServerOptions *options) Link Here

(-)a/servconf.c (-1 / +34 lines)
150	options->num_accept_env = 0;	150	options->num_accept_env = 0;
151	options->permit_tun = -1;	151	options->permit_tun = -1;
152	options->num_permitted_opens = -1;	152	options->num_permitted_opens = -1;
		153	options->num_permitted_remote_opens = -1;
153	options->adm_forced_command = NULL;	154	options->adm_forced_command = NULL;
154	options->chroot_directory = NULL;	155	options->chroot_directory = NULL;
155	options->authorized_keys_command = NULL;	156	options->authorized_keys_command = NULL;
Lines 408-414 typedef enum { Link Here
408	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,	409	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
409	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,	410	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
410	sAcceptEnv, sPermitTunnel,	411	sAcceptEnv, sPermitTunnel,
411	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,	412	sMatch, sPermitOpen, sPermitRemoteOpen, sForceCommand, sChrootDirectory,
412	sUsePrivilegeSeparation, sAllowAgentForwarding,	413	sUsePrivilegeSeparation, sAllowAgentForwarding,
413	sHostCertificate,	414	sHostCertificate,
414	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,	415	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
Lines 542-547 static struct { Link Here
542	{ "permituserrc", sPermitUserRC, SSHCFG_ALL },	543	{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
543	{ "match", sMatch, SSHCFG_ALL },	544	{ "match", sMatch, SSHCFG_ALL },
544	{ "permitopen", sPermitOpen, SSHCFG_ALL },	545	{ "permitopen", sPermitOpen, SSHCFG_ALL },
		546	{ "permitremoteopen", sPermitRemoteOpen, SSHCFG_ALL },
545	{ "forcecommand", sForceCommand, SSHCFG_ALL },	547	{ "forcecommand", sForceCommand, SSHCFG_ALL },
546	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },	548	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
547	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },	549	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
Lines 1658-1663 process_server_config_line(ServerOptions options, char line, Link Here
1658	channel_add_adm_permitted_opens(p, port);	1660	channel_add_adm_permitted_opens(p, port);
1659	}	1661	}
1660	break;	1662	break;
		1663	case sPermitRemoteOpen:
		1664	arg = strdelim(&cp);
		1665	if (!arg \|\| *arg == '\0')
		1666	fatal("%s line %d: missing PermitRemoteOpen "
		1667	" specification", filename, linenum);
		1668	n = options->num_permitted_remote_opens; /* modified later */
		1669	if (strcmp(arg, "any") == 0) {
		1670	if (*activep && n == -1) {
		1671	channel_clear_adm_permitted_remote_opens();
		1672	options->num_permitted_remote_opens = 0;
		1673	}
		1674	break;
		1675	}
		1676	if (strcmp(arg, "none") == 0) {
		1677	if (*activep && n == -1) {
		1678	options->num_permitted_remote_opens = 1;
		1679	channel_disable_adm_remote_opens();
		1680	}
		1681	break;
		1682	}
		1683	if (*activep && n == -1)
		1684	channel_clear_adm_permitted_remote_opens();
		1685	for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
		1686	if (arg == NULL \|\| ((port = permitopen_port(arg)) < 0))
		1687	fatal("%s line %d: bad port number in "
		1688	"PermitRemoteOpen", filename, linenum);
		1689	if (*activep && n == -1)
		1690	options->num_permitted_remote_opens =
		1691	channel_add_adm_permitted_remote_opens(port);
		1692	}
		1693	break;
1661		1694
1662	case sForceCommand:	1695	case sForceCommand:
1663	if (cp == NULL \|\| *cp == '\0')	1696	if (cp == NULL \|\| *cp == '\0')

Lines 737-745 server_input_global_request(int type, u_int32_t seq, void *ctxt) Link Here

(-)a/serverloop.c (-3 / +11 lines)
737	success = 0;	737	success = 0;
738	packet_send_debug("Server has disabled port forwarding.");	738	packet_send_debug("Server has disabled port forwarding.");
739	} else {	739	} else {
740	/* Start listening on the port */	740	debug2("check permitted remote opens");
741	success = channel_setup_remote_fwd_listener(&fwd,	741	if (!channel_connect_remote_to(fwd.listen_port)) {
742	&allocated_listen_port, &options.fwd_opts);	742	success = 0;
		743	packet_send_debug("Server denied remote port forward request.");
		744	}
		745	else {
		746	/* Start listening on the port */
		747	success = channel_setup_remote_fwd_listener(&fwd,
		748	&allocated_listen_port,
		749	&options.fwd_opts);
		750	}
743	}	751	}
744	free(fwd.listen_host);	752	free(fwd.listen_host);
745	if ((resp = sshbuf_new()) == NULL)	753	if ((resp = sshbuf_new()) == NULL)

Lines 563-568 they must be literal domains or addresses. Link Here

(-)a/sshd.8 (+11 lines)
563	A port specification of	563	A port specification of
564	.Cm *	564	.Cm *
565	matches any port.	565	matches any port.
		566	.It Cm permitremoteopen="port"
		567	Limit remote
		568	.Li ``ssh -R''
		569	port forwarding such that it may only forward the specified port to the client.
		570	Multiple
		571	.Cm permitremoteopen
		572	options may be applied separated by commas.
		573	Specified port must be a single port.
		574	A port specification of
		575	.Cm *
		576	matches any port.
566	.It Cm port-forwarding	577	.It Cm port-forwarding
567	Enable port forwarding previously disabled by the	578	Enable port forwarding previously disabled by the
568	.Cm restrict	579	.Cm restrict

Lines 1175-1180 The wildcard Link Here

(-)a/sshd_config.5 (-1 / +12 lines)
1175	.Sq *	1175	.Sq *
1176	can be used for host or port to allow all hosts or ports, respectively.	1176	can be used for host or port to allow all hosts or ports, respectively.
1177	By default all port forwarding requests are permitted.	1177	By default all port forwarding requests are permitted.
		1178	.It Cm PermitRemoteOpen
		1179	Specifies the TCP ports which may be opened by clients with the
		1180	RemoteForward option.
		1181	Multiple forwards may be specified by separating them with whitespace.
		1182	An argument of
		1183	.Dq any
		1184	can be used to remove all restrictions and permit any remote
		1185	forwarding requests.
		1186	An argument of
		1187	.Dq none
		1188	can be used to prohibit all forwarding requests.
		1189	By default all port forwarding requests are permitted.
1178	.It Cm PermitRootLogin	1190	.It Cm PermitRootLogin
1179	Specifies whether root can log in using	1191	Specifies whether root can log in using
1180	.Xr ssh 1 .	1192	.Xr ssh 1 .
1181	-