From 98b234f9f7a442f193437fffc364490f73c19e17 Mon Sep 17 00:00:00 2001
From: adamgreg <agregdev@gmail.com>
Date: Wed, 3 Jun 2020 15:32:00 +0100
Subject: [PATCH] SSH: Add local TCP forwarding option (#1364)

* SSH: Add local TCP forwarding option

Add allow_tcp_forwarding option, to allow local port forwarding by the SSH add-on. Code lifted from the more advanced [SSH & Web Terminal](https://github.com/hassio-addons/addon-ssh) add-on.

* Bump version to 8.6.0

* SSH: Rename tcp_forwarding option

* Update ssh.sh

* Update DOCS.md

Co-authored-by: Pascal Vizeli <pascal.vizeli@syshack.ch>
---
 ssh/CHANGELOG.md                  |  4 ++++
 ssh/DOCS.md                       | 12 +++++++++++-
 ssh/config.json                   | 12 +++++++++---
 ssh/rootfs/etc/cont-init.d/ssh.sh |  5 +++++
 4 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/ssh/CHANGELOG.md b/ssh/CHANGELOG.md
index cac7681..66432f4 100644
--- a/ssh/CHANGELOG.md
+++ b/ssh/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 8.6.0
+
+- Add support for local TCP forwarding
+
 ## 8.5.4
 
 - Update Home Assistant CLI to 4.3.0
diff --git a/ssh/DOCS.md b/ssh/DOCS.md
index d967548..98368b3 100644
--- a/ssh/DOCS.md
+++ b/ssh/DOCS.md
@@ -55,6 +55,16 @@ keys by adding multiple public keys to the list.
 
 Set a password for login. **We do NOT recommend this variant**.
 
+### Option group  `server`
+
+Some SSH server options.
+
+#### Option `tcp_forwarding`
+
+Specifies whether TCP forwarding is permitted or not.
+
+**Note**: _Enabling this option lowers the security of your SSH server! Nevertheless, this warning is debatable._
+
 ## Network
 To enable ssh access via the network, you need to enter the port number ‘22’ or the port you want to use. This will map that port from the hassio host into the running “Terminal & SSH” container.
 
@@ -80,4 +90,4 @@ In case you've found a bug, please [open an issue on our GitHub][issue].
 [issue]: https://github.com/home-assistant/hassio-addons/issues
 [keygen-windows]: https://www.digitalocean.com/community/tutorials/how-to-create-ssh-keys-with-putty-to-connect-to-a-vps
 [keygen]: https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/
-[reddit]: https://reddit.com/r/homeassistant
\ No newline at end of file
+[reddit]: https://reddit.com/r/homeassistant
diff --git a/ssh/config.json b/ssh/config.json
index b10ba52..476ce32 100644
--- a/ssh/config.json
+++ b/ssh/config.json
@@ -1,6 +1,6 @@
 {
   "name": "Terminal & SSH",
-  "version": "8.5.4",
+  "version": "8.6.0",
   "slug": "ssh",
   "description": "Allow logging in remotely to Home Assistant using SSH",
   "url": "https://github.com/home-assistant/hassio-addons/tree/master/ssh",
@@ -22,11 +22,17 @@
   "map": ["config:rw", "ssl:rw", "addons:rw", "share:rw", "backup:rw"],
   "options": {
     "authorized_keys": [],
-    "password": ""
+    "password": "",
+    "server": {
+      "tcp_forwarding": false
+    }
   },
   "schema": {
     "authorized_keys": ["str"],
-    "password": "str"
+    "password": "str",
+    "server": {
+      "tcp_forwarding": "bool"
+    }
   },
   "image": "homeassistant/{arch}-addon-ssh"
 }
diff --git a/ssh/rootfs/etc/cont-init.d/ssh.sh b/ssh/rootfs/etc/cont-init.d/ssh.sh
index d90439c..0b58ce8 100644
--- a/ssh/rootfs/etc/cont-init.d/ssh.sh
+++ b/ssh/rootfs/etc/cont-init.d/ssh.sh
@@ -29,3 +29,8 @@ elif bashio::config.has_value 'password'; then
 elif bashio::var.has_value "$(bashio::addon.port 22)"; then
     bashio::exit.nok "You need to setup a login!"
 fi
+
+# Allow TCP forwarding
+if bashio::config.true 'server.tcp_forwarding'; then
+    sed -i "s/AllowTcpForwarding.*/AllowTcpForwarding\\ yes/" /etc/ssh/sshd_config
+fi