From ec76a249f312df5dc840ad4292cd1c069813f4c6 Mon Sep 17 00:00:00 2001
From: djm <djm@openbsd.org>
Date: Sun, 31 May 2026 04:47:29 +0000
Subject: [PATCH] DisableForwarding=yes didn't override PermitTunnel=yes

Reported independently by Huzaifa Sidhpurwala of Redhat and Marko
Jevtic; ok markus@
---
 usr.bin/ssh/serverloop.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/usr.bin/ssh/serverloop.c b/usr.bin/ssh/serverloop.c
index 0a72fd45ae9..ebd91542bcb 100644
--- a/usr.bin/ssh/serverloop.c
+++ b/usr.bin/ssh/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.246 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: serverloop.c,v 1.247 2026/05/31 04:47:29 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -516,7 +516,7 @@ server_request_tun(struct ssh *ssh)
 		ssh_packet_send_debug(ssh, "Unsupported tunnel device mode.");
 		return NULL;
 	}
-	if ((options.permit_tun & mode) == 0) {
+	if ((options.permit_tun & mode) == 0 || options.disable_forwarding) {
 		ssh_packet_send_debug(ssh, "Server has rejected tunnel device "
 		    "forwarding");
 		return NULL;