diff -up openssh-6.6p1/channels.c.permitopen openssh-6.6p1/channels.c
--- openssh-6.6p1/channels.c.permitopen 2016-06-29 15:37:08.780327108 +0200
+++ openssh-6.6p1/channels.c 2016-06-29 16:04:38.480857525 +0200
@@ -128,6 +128,9 @@ static int num_adm_permitted_opens = 0;
/* special-case port number meaning allow any port */
#define FWD_PERMIT_ANY_PORT 0
+/* special-case wildcard meaning allow any host */
+#define FWD_PERMIT_ANY_HOST "*"
+
/*
* If this is true, all opens are permitted. This is the case on the server
* on which we have to trust the client anyway, and the user could do
@@ -3271,6 +3274,21 @@ port_match(u_short allowedport, u_short
return 0;
}
+static int
+open_match(ForwardPermission *allowed_open, const char *requestedhost,
+ u_short requestedport)
+{
+ if (allowed_open->host_to_connect == NULL)
+ return 0;
+ if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT &&
+ allowed_open->port_to_connect != requestedport)
+ return 0;
+ if (strcmp(allowed_open->host_to_connect, FWD_PERMIT_ANY_HOST) != 0 &&
+ strcmp(allowed_open->host_to_connect, requestedhost) != 0)
+ return 0;
+ return 1;
+}
+
/* Try to start non-blocking connect to next host in cctx list */
static int
connect_next(struct channel_connect *cctx)
@@ -3391,20 +3409,18 @@ channel_connect_to(const char *host, u_s
permit = all_opens_permitted;
if (!permit) {
for (i = 0; i < num_permitted_opens; i++)
- if (permitted_opens[i].host_to_connect != NULL &&
- port_match(permitted_opens[i].port_to_connect, port) &&
- strcmp(permitted_opens[i].host_to_connect, host) == 0)
+ if (open_match(&permitted_opens[i], host, port)) {
permit = 1;
+ }
}
if (num_adm_permitted_opens > 0) {
permit_adm = 0;
for (i = 0; i < num_adm_permitted_opens; i++)
- if (permitted_adm_opens[i].host_to_connect != NULL &&
- port_match(permitted_adm_opens[i].port_to_connect, port) &&
- strcmp(permitted_adm_opens[i].host_to_connect, host)
- == 0)
+ if (open_match(&permitted_adm_opens[i], host, port)) {
permit_adm = 1;
+ break;
+ }
}
if (!permit || !permit_adm) {
diff -up openssh-6.6p1/sshd_config.5.permitopen openssh-6.6p1/sshd_config.5
--- openssh-6.6p1/sshd_config.5.permitopen 2016-06-29 15:37:08.778327110 +0200
+++ openssh-6.6p1/sshd_config.5 2016-06-29 15:37:08.782327106 +0200
@@ -1005,6 +1005,9 @@ can be used to remove all restrictions a
An argument of
.Dq none
can be used to prohibit all forwarding requests.
+Wildcard
+.Dq *
+can be used for host or port to allow all hosts or all ports respectively.
By default all port forwarding requests are permitted.
.It Cm PermitRootLogin
Specifies whether root can log in using