Hello, When a tun0 device is created with the below commands on the server: ip tuntap add dev tun0 mode tun user sshuser group sshusers ip link set dev tun0 up ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2 and ssh is started with this command from the client: ssh -NTC -w 0:0 -o Tunnel=point-to-point sshuser@<ip-address> Working extract from sshd_config: PermitTunnel yes Match User sshuser PermitTunnel yes NOT Working extract from sshd_config (below is the message): PermitTunnel no Match User sshuser PermitTunnel yes The error message with a -v is: debug1: Remote: Server has rejected tunnel device forwarding Thanks Joe
Yes, that's working as intended. sshd should refuse tunnel connections unless the administrator has explicitly configured it. This is already mentioned in the sshd_config manual.
I don't understand how settting PermitTunnel yes in a Match block does not count as the administrator explicitly configuring tunnels (and only allowing them for certain users). If the PermitTunnel setting within a Match block can only be used to disable tunneling for the matched criteria then I can't find that information in the man page.
(In reply to Damien Miller from comment #1) > Yes, that's working as intended. sshd should refuse tunnel > connections unless the administrator has explicitly configured it. > This is already mentioned in the sshd_config manual. sshd_config manual on Match block states: "...keywords on the following lines override those set in the global section of the config file..." I'd say the bug report is valid.
Created attachment 2480 [details] Fix Match block overrides failing if global option set In addition to the PermitTunnel option, this patch fixes the issue with RekeyLimit (reason being the same). It looks like the StreamLocalBindMask may also be affected similarly. As the option in undocumented, the patch does not touch it.
Created attachment 2614 [details] more activep checks
Patch applied - this will be in openssh-6.9
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1