From 7fd84db8506c021cdf654cb499da125c55756aa6 Mon Sep 17 00:00:00 2001
From: "Merlijn B. W. Wajer" <merlijn@wizzup.org>
Date: Fri, 10 Mar 2017 11:49:45 +0100
Subject: [PATCH] Allow both "localhost" and empty bind spec

---
 sshd.go | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/sshd.go b/sshd.go
index 6d16a6c..7152128 100644
--- a/sshd.go
+++ b/sshd.go
@@ -241,8 +241,8 @@ func handleTcpIpForward(client *sshClient, req *ssh.Request) (net.Listener, *bin
 		log.Printf("Request to listen on %s:%d", payload.Addr, payload.Port)
 	}
 
-	if payload.Addr != "localhost" {
-		log.Printf("Payload address is not \"localhost\"")
+	if payload.Addr != "localhost" && payload.Addr != "" {
+		log.Printf("Payload address is not \"localhost\" or empty")
 		req.Reply(false, []byte{})
 		return nil, nil, fmt.Errorf("Address is not permitted")
 	}
@@ -256,9 +256,6 @@ func handleTcpIpForward(client *sshClient, req *ssh.Request) (net.Listener, *bin
 	laddr := payload.Addr
 	lport := payload.Port
 
-	// TODO: We currently bind to localhost:port, and not to :port
-	// Need to figure out what we want - perhaps just part of policy
-	//bind := fmt.Sprintf(":%d", lport)
 	bind := fmt.Sprintf("%s:%d", laddr, lport)
 	ln, err := net.Listen("tcp", bind)
 	if err != nil {