Ports in options instead of comment field

README.rst

@@ -14,8 +14,6 @@ authorized_keys format
 ======================
 
 Same as OpenSSH authorized_keys format.
-Comment field contains the ports that are allowed to be forwarded, comma
-separated::
-
-    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHPWEWu85yECrbmtL38wlFua3tBSqxTekCX/aU+dku+w 3333,3334
+The options field contains the ports that are allowed to be forwarded, colon separated::
 
+    ports=3333:4444 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHPWEWu85yECrbmtL38wlFua3tBSqxTekCX/aU+dku+w COMMENTHERE

sshd.go

@@ -140,6 +140,7 @@ func handleChannel(newChannel ssh.NewChannel, ports []uint32) {
 
 	if !ok {
 		newChannel.Reject(ssh.Prohibited, fmt.Sprintf("Bad port"))
+		log.Printf("Tried to forward prohibited port: %d", payload.Port)
 		return
 	}
 
@@ -184,7 +185,7 @@ func handleChannel(newChannel ssh.NewChannel, ports []uint32) {
 }
 
 func parsePorts(portstr string) (p []uint32, err error) {
-	ports := strings.Split(portstr, ",")
+	ports := strings.Split(portstr, ":")
 	for _, port := range ports {
 		port, err := strconv.ParseUint(port, 10, 32)
 		if err != nil {
@@ -203,12 +204,25 @@ func loadAuthorisedKeys(authorisedkeys string) {
 	}
 
 	for len(authorisedKeysBytes) > 0 {
-		pubkey, ports, _, rest, err := ssh.ParseAuthorizedKey(authorisedKeysBytes)
+		pubkey, _, options, rest, err := ssh.ParseAuthorizedKey(authorisedKeysBytes)
 
 		if err != nil {
 			log.Fatal(err)
 		}
 
+		log.Println("Options:", options)
+		if len(options) != 1 {
+			log.Fatal(fmt.Errorf("Only one option is accepted: 'ports=...'"))
+		}
+
+		option := options[0]
+
+		if !strings.HasPrefix(option, "ports=") {
+			log.Fatal(fmt.Errorf("Options does not start with 'ports='"))
+		}
+
+		ports := option[len("ports="):]
+
 		_, err = parsePorts(ports)
 
 		if err != nil {