From the man page: -g Allows remote hosts to connect to local forwarded ports. When working with a control socket, this works fine if -g is included with the initial connect attempt, for example: $ cat ~/.ssh/config Host * ControlMaster auto ControlPath ~/.ssh/%r@%h:%p $ ssh -gTfNL 12345:localhost:12345 host $ netstat -tln tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN - $ lsof -n ssh 182446 user 3u IPv4 76397177 0t0 TCP 192.168.0.9:51181->192.168.0.15:ssh (ESTABLISHED) ssh 182446 user 4u IPv4 76397181 0t0 TCP *:3128 (LISTEN) ssh 182446 user 5u IPv6 76397182 0t0 TCP *:3128 (LISTEN) and similarly: $ ssh -g host user@host:~$ exit $ ssh -gTfNL 12345:localhost:12345 host $ netstat -tln tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN - However, if it isn't then -g is ignored on subsequent attempts to forward ports: $ ssh host user@host:~$ exit $ ssh -g -L 12345:localhost:12345 host $ netstat -tln tcp 0 0 127.0.0.1:12345 0.0.0.0:* LISTEN - $ lsof -n ssh 182399 user 3u IPv4 76390396 0t0 TCP 192.168.0.9:51178->192.168.0.15:ssh (ESTABLISHED) ssh 182399 user 4u unix 0x0000000000000000 0t0 76390976 /home/user/.ssh/user@host ssh 182399 user 6u IPv6 76392394 0t0 TCP [::1]:3128 (LISTEN) ssh 182399 user 7u IPv4 76392395 0t0 TCP 127.0.0.1:3128 (LISTEN) This doesn't really make sense: ssh should still be capable of binding to the correct address as requested. From: https://bugs.launchpad.net/debian/+source/openssh/+bug/1259939 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731950
I've committed a manual fix to explain that -g must be applied to the multiplex master. This mirrors other settings that are decided at master connection time, like ForwardAgent and ForwardX11.
Close all bugs left open from 6.6 and 6.7 releases.