diff -up openssh-6.6p1/channels.c.permitopen openssh-6.6p1/channels.c

--- openssh-6.6p1/channels.c.permitopen	2016-06-29 15:37:08.780327108 +0200

+++ openssh-6.6p1/channels.c	2016-06-29 16:04:38.480857525 +0200

@@ -128,6 +128,9 @@ static int num_adm_permitted_opens = 0;

 /* special-case port number meaning allow any port */

 #define FWD_PERMIT_ANY_PORT	0

+/* special-case wildcard meaning allow any host */

+#define FWD_PERMIT_ANY_HOST	"*"

+

 /*

  * If this is true, all opens are permitted.  This is the case on the server

  * on which we have to trust the client anyway, and the user could do

@@ -3271,6 +3274,21 @@ port_match(u_short allowedport, u_short

 	return 0;

 }

+static int

+open_match(ForwardPermission *allowed_open, const char *requestedhost,

+    u_short requestedport)

+{

+	if (allowed_open->host_to_connect == NULL)

+		return 0;

+	if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT &&

+	    allowed_open->port_to_connect != requestedport)

+		return 0;

+	if (strcmp(allowed_open->host_to_connect, FWD_PERMIT_ANY_HOST) != 0 &&

+	    strcmp(allowed_open->host_to_connect, requestedhost) != 0)

+		return 0;

+	return 1;

+}

+

 /* Try to start non-blocking connect to next host in cctx list */

 static int

 connect_next(struct channel_connect *cctx)

@@ -3391,20 +3409,18 @@ channel_connect_to(const char *host, u_s

 	permit = all_opens_permitted;

 	if (!permit) {

 		for (i = 0; i < num_permitted_opens; i++)

-			if (permitted_opens[i].host_to_connect != NULL &&

-			    port_match(permitted_opens[i].port_to_connect, port) &&

-			    strcmp(permitted_opens[i].host_to_connect, host) == 0)

+			if (open_match(&permitted_opens[i], host, port)) {

 				permit = 1;

+			}

 	}

 	if (num_adm_permitted_opens > 0) {

 		permit_adm = 0;

 		for (i = 0; i < num_adm_permitted_opens; i++)

-			if (permitted_adm_opens[i].host_to_connect != NULL &&

-			    port_match(permitted_adm_opens[i].port_to_connect, port) &&

-			    strcmp(permitted_adm_opens[i].host_to_connect, host)

-			    == 0)

+			if (open_match(&permitted_adm_opens[i], host, port)) {

 				permit_adm = 1;

+				break;

+			}

 	}

 	if (!permit || !permit_adm) {

diff -up openssh-6.6p1/sshd_config.5.permitopen openssh-6.6p1/sshd_config.5

--- openssh-6.6p1/sshd_config.5.permitopen	2016-06-29 15:37:08.778327110 +0200

+++ openssh-6.6p1/sshd_config.5	2016-06-29 15:37:08.782327106 +0200

@@ -1005,6 +1005,9 @@ can be used to remove all restrictions a

 An argument of

 .Dq none

 can be used to prohibit all forwarding requests.

+Wildcard

+.Dq *

+can be used for host or port to allow all hosts or all ports respectively.

 By default all port forwarding requests are permitted.

 .It Cm PermitRootLogin

 Specifies whether root can log in using