openssh unix dev - Oct 2025 - Decouple AllowStreamLocalForwarding and AllowTcpForwarding

hello everyone,

I am trying to fix an issue we have at $work with the fact that the
AllowStreamLocalFrowarding option is dependant on the AllowTcpForwarding option
(this issue have been reported multiple time by others over the past).

When looking at the code, I can see 2 approach:
1/ the complete option would consist in removing FORWARD_LOCAL and
FORWARD_REMOTE and replace them with TCP_FORWARD_LOCAL and TCP_FORWARD_REMOTE
then introduce STREAMLOCAL_FORWARD_LOCAL and STREAMLOCAL_FORWARD_REMOTE and
duplicate all the code to deal with both case.

2/ the lazy approach which is the one I took so far would be to apply the patch.

I am not very familiar with ssh code, but it seems to work and not break the
testsuite. Still I ma pretty sure this is too naive, what do you think?

Best regards,
Bapt

---
 session.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/session.c b/session.c
index f265fdc3ed3..e35ff360ec9 100644
--- a/session.c
+++ b/session.c
@@ -323,11 +323,13 @@ do_authenticated(struct ssh *ssh, Authctxt *authctxt)
 		channel_disable_admin(ssh, FORWARD_LOCAL);
 		channel_disable_admin(ssh, FORWARD_REMOTE);
 	} else {
-		if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
+		if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0 &&
+		    (options.allow_streamlocal_forwarding & FORWARD_LOCAL) == 0)
 			channel_disable_admin(ssh, FORWARD_LOCAL);
 		else
 			channel_permit_all(ssh, FORWARD_LOCAL);
-		if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0)
+		if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 &&
+		    (options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0)
 			channel_disable_admin(ssh, FORWARD_REMOTE);
 		else
 			channel_permit_all(ssh, FORWARD_REMOTE);

On Thu 16 Oct 13:43, Baptiste Daroussin wrote:
> hello everyone,
Hello,

Anything I should do on my side to make this progress?

Best regards,
Bapt
> 
> I am trying to fix an issue we have at $work with the fact that the
> AllowStreamLocalFrowarding option is dependant on the AllowTcpForwarding
option
> (this issue have been reported multiple time by others over the past).
> 
> When looking at the code, I can see 2 approach:
> 1/ the complete option would consist in removing FORWARD_LOCAL and
> FORWARD_REMOTE and replace them with TCP_FORWARD_LOCAL and
TCP_FORWARD_REMOTE
> then introduce STREAMLOCAL_FORWARD_LOCAL and STREAMLOCAL_FORWARD_REMOTE and
> duplicate all the code to deal with both case.
> 
> 2/ the lazy approach which is the one I took so far would be to apply the
patch.
> 
> I am not very familiar with ssh code, but it seems to work and not break
the
> testsuite. Still I ma pretty sure this is too naive, what do you think?
> 
> Best regards,
> Bapt
> 
> ---
>  session.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/session.c b/session.c
> index f265fdc3ed3..e35ff360ec9 100644
> --- a/session.c
> +++ b/session.c
> @@ -323,11 +323,13 @@ do_authenticated(struct ssh *ssh, Authctxt *authctxt)
>  		channel_disable_admin(ssh, FORWARD_LOCAL);
>  		channel_disable_admin(ssh, FORWARD_REMOTE);
>  	} else {
> -		if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
> +		if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0 &&
> +		    (options.allow_streamlocal_forwarding & FORWARD_LOCAL) == 0)
>  			channel_disable_admin(ssh, FORWARD_LOCAL);
>  		else
>  			channel_permit_all(ssh, FORWARD_LOCAL);
> -		if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0)
> +		if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 &&
> +		    (options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0)
>  			channel_disable_admin(ssh, FORWARD_REMOTE);
>  		else
>  			channel_permit_all(ssh, FORWARD_REMOTE);