How to specify multiple destinations in OpenSSH server's PermitOpen directive?

Paebbels asked:

I have found how to restrict TCP tunnels on a per user basis. Now I would like to give some users/groups access to multiple clients in the network.

When I follow the instructions from the OpenSSH server documentation, I can’t restart the OpenSSH server.

From the documentation:

Specifies the destinations to which TCP port forwarding is permitted. The forwarding specification must be one of the following forms:

PermitOpen host:port
PermitOpen IPv4_addr:port
PermitOpen [IPv6_addr]:port

Multiple forwards may be specified by separating them with whitespace. An argument of any can be used to remove all restrictions and permit any forwarding requests. An argument of none can be used to prohibit all forwarding requests. The wildcard ‘*’ can be used for host or port to allow all hosts or ports, respectively. By default all port forwarding requests are permitted.


I’m using these settings:

Match Group SSHTunnel_WebUI
    AllowTcpForwarding yes

When I remove the second FQDN:port, then I can restart sshd, otherwise I get an error message complaining about the configuration file. Other similar rules, but with only one FQDN:port setting work as expected.

How to format the settings string?

The error message as given by journalctl -xe

Jan 08 00:45:56 wiki sshd[55992]: /etc/ssh/sshd_config line 150: bad port number in PermitOpen
Jan 08 00:45:56 wiki systemd[1]: ssh.service: Control process exited, code=exited status=255
Jan 08 00:45:56 wiki systemd[1]: ssh.service: Failed with result 'exit-code'.
Jan 08 00:45:56 wiki systemd[1]: Failed to start OpenBSD Secure Shell server.
-- Subject: Unit ssh.service has failed
-- Defined-By: systemd
-- Support:
-- Unit ssh.service has failed.
-- The result is RESULT.
Jan 08 00:45:56 wiki systemd[1]: ssh.service: Service hold-off time over, scheduling restart.
Jan 08 00:45:56 wiki systemd[1]: ssh.service: Scheduled restart job, restart counter is at 5.

Related but not applicable questions and links:

My answer:

The format of PermitOpen is a space separated list of host:port pairs. However, the configuration example you gave has quotation marks. These are not permitted.

Use no quotation marks (and the = is also optional):


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.