diff options
Diffstat (limited to 'sshd.8')
| -rw-r--r-- | sshd.8 | 42 |
1 files changed, 35 insertions, 7 deletions
@@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.299 2018/03/14 06:56:20 jmc Exp $ -.Dd $Mdocdate: March 14 2018 $ +.\" $OpenBSD: sshd.8,v 1.304 2018/07/22 12:16:59 dtucker Exp $ +.Dd $Mdocdate: July 22 2018 $ .Dt SSHD 8 .Os .Sh NAME @@ -277,7 +277,7 @@ locked, listed in .Cm DenyUsers or its group is listed in .Cm DenyGroups -\&. The definition of a locked account is system dependant. Some platforms +\&. The definition of a locked account is system dependent. Some platforms have their own account database (eg AIX) and some modify the passwd field ( .Ql \&*LK\&* on Solaris and UnixWare, @@ -554,11 +554,37 @@ Disables execution of .It Cm no-X11-forwarding Forbids X11 forwarding when this key is used for authentication. Any X11 forward requests by the client will return an error. +.It Cm permitlisten="[host:]port" +Limit remote port forwarding with the +.Xr ssh 1 +.Fl R +option such that it may only listen on the specified host (optional) and port. +IPv6 addresses can be specified by enclosing the address in square brackets. +Multiple +.Cm permitlisten +options may be applied separated by commas. +Hostnames may include wildcards as described in the PATTERNS section in +.Xr ssh_config 5 . +A port specification of +.Cm * +matches any port. +Note that the setting of +.Cm GatewayPorts +may further restrict listen addresses. +Note that +.Xr ssh 1 +will send a hostname of +.Dq localhost +if a listen host was not specified when the forwarding was requested, and +that this name is treated differently to the explicit localhost addresses +.Dq 127.0.0.1 +and +.Dq ::1 . .It Cm permitopen="host:port" -Limit local port forwarding with +Limit local port forwarding with the .Xr ssh 1 .Fl L -such that it may only connect to the specified host and port. +option such that it may only connect to the specified host and port. IPv6 addresses can be specified by enclosing the address in square brackets. Multiple .Cm permitopen @@ -618,9 +644,11 @@ An example authorized_keys file: ssh-rsa AAAAB3Nza...LiPk== user@example.net from="*.sales.example.net,!pc.sales.example.net" ssh-rsa AAAAB2...19Q== john@example.net -command="dump /home",no-pty,no-port-forwarding ssh-dss +command="dump /home",no-pty,no-port-forwarding ssh-rsa AAAAC3...51R== example.net -permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss +permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-rsa +AAAAB5...21S== +permitlisten="localhost:8080",permitopen="localhost:22000" ssh-rsa AAAAB5...21S== tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== jane@example.net |