From 956edbc00c053b310c108e3976b0e2e9f887882e Mon Sep 17 00:00:00 2001
From: Mikhail Aseev <mikhailaseev@yahoo.com>
Date: Thu, 22 Aug 2024 00:15:25 +0300
Subject: [PATCH] Limit SSH server AllowTcpForwarding

Signed-off-by: Mikhail Aseev <mikhailaseev@yahoo.com>
---
 controls/sshd_spec.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/controls/sshd_spec.rb b/controls/sshd_spec.rb
index a81db94..1d2ebb5 100644
--- a/controls/sshd_spec.rb
+++ b/controls/sshd_spec.rb
@@ -24,7 +24,6 @@
 sshd_valid_kexs = input('sshd_valid_kexs', value: ssh_crypto.valid_kexs)
 sshd_valid_macs = input('sshd_valid_macs', value: ssh_crypto.valid_macs)
 sshd_permittunnel = input('sshd_permittunnel', value: 'no')
-sshd_tcpforwarding = input('sshd_tcpforwarding', value: 'no')
 sshd_agentforwarding = input('sshd_agentforwarding', value: 'no')
 sshd_gatewayports = input('sshd_gatewayports', value: 'no')
 sshd_x11forwarding = input('sshd_x11forwarding', value: 'no')
@@ -413,7 +412,7 @@
   title 'Server: Disable TCP forwarding'
   desc 'If you use TCP forwarding in an uncontrolled manner then you can bypass the firewalls'
   describe sshd_config("#{sshd_custom_path}/sshd_config") do
-    its('AllowTcpForwarding') { should eq(sshd_tcpforwarding) }
+    its('AllowTcpForwarding') { should match(/^no|local$/) }
   end
 end