From 03846f05f06063d91a15de7ff1dfcc72575c063d Mon Sep 17 00:00:00 2001
From: Lingyu Zhou <lingyu.zhou@network.lilly.com>
Date: Wed, 3 Sep 2025 14:16:34 +0000
Subject: [PATCH] add gatewayports option to sshd

---
 src/sshd/README.md                             |  1 +
 src/sshd/devcontainer-feature.json             | 12 +++++++++++-
 src/sshd/install.sh                            |  2 ++
 test/sshd/scenarios.json                       | 18 ++++++++++++++++++
 test/sshd/sshd_with_default_gateway_ports.sh   | 12 ++++++++++++
 ...ith_pinned_gateway_ports_clientspecified.sh | 12 ++++++++++++
 6 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 test/sshd/scenarios.json
 create mode 100644 test/sshd/sshd_with_default_gateway_ports.sh
 create mode 100644 test/sshd/sshd_with_pinned_gateway_ports_clientspecified.sh

diff --git a/src/sshd/README.md b/src/sshd/README.md
index 7314e16af..f4215b391 100644
--- a/src/sshd/README.md
+++ b/src/sshd/README.md
@@ -15,6 +15,7 @@ Adds a SSH server into a container so that you can use an external terminal, sft
 
 | Options Id | Description | Type | Default Value |
 |-----|-----|-----|-----|
+| gatewayPorts | Enable other hosts in the same network to connect to the forwarded ports | string | no
 | version | Currently unused. | string | latest |
 
 ## Usage
diff --git a/src/sshd/devcontainer-feature.json b/src/sshd/devcontainer-feature.json
index e400b0601..46c4ef302 100644
--- a/src/sshd/devcontainer-feature.json
+++ b/src/sshd/devcontainer-feature.json
@@ -1,6 +1,6 @@
 {
     "id": "sshd",
-    "version": "1.0.10",
+    "version": "1.1.0",
     "name": "SSH server",
     "documentationURL": "https://github.com/devcontainers/features/tree/main/src/sshd",
     "description": "Adds a SSH server into a container so that you can use an external terminal, sftp, or SSHFS to interact with it.",
@@ -12,6 +12,16 @@
             ],
             "default": "latest",
             "description": "Currently unused."
+        },
+        "gatewayPorts": {
+            "type": "string",
+            "enum": [
+                "no",
+                "yes",
+                "clientspecified"
+            ],
+            "default": "no",
+            "description": "Enable other hosts in the same network to connect to the forwarded ports"
         }
     },
     "entrypoint": "/usr/local/share/ssh-init.sh",
diff --git a/src/sshd/install.sh b/src/sshd/install.sh
index 146040896..9b9ddedf2 100755
--- a/src/sshd/install.sh
+++ b/src/sshd/install.sh
@@ -13,6 +13,7 @@ SSHD_PORT="${SSHD_PORT:-"2222"}"
 USERNAME="${USERNAME:-"${_REMOTE_USER:-"automatic"}"}"
 START_SSHD="${START_SSHD:-"false"}"
 NEW_PASSWORD="${NEW_PASSWORD:-"skip"}"
+GATEWAY_PORTS="${GATEWAYPORTS:-"no"}" 
 
 set -e
 
@@ -89,6 +90,7 @@ mkdir -p /var/run/sshd
 sed -i 's/session\s*required\s*pam_loginuid\.so/session optional pam_loginuid.so/g' /etc/pam.d/sshd
 sed -i 's/#*PermitRootLogin prohibit-password/PermitRootLogin yes/g' /etc/ssh/sshd_config
 sed -i -E "s/#*\s*Port\s+.+/Port ${SSHD_PORT}/g" /etc/ssh/sshd_config
+sed -i "s/#GatewayPorts no/GatewayPorts ${GATEWAY_PORTS}/g" /etc/ssh/sshd_config
 # Need to UsePAM so /etc/environment is processed
 sed -i -E "s/#?\s*UsePAM\s+.+/UsePAM yes/g" /etc/ssh/sshd_config
 
diff --git a/test/sshd/scenarios.json b/test/sshd/scenarios.json
new file mode 100644
index 000000000..1513f64f9
--- /dev/null
+++ b/test/sshd/scenarios.json
@@ -0,0 +1,18 @@
+{
+    "sshd_with_default_gateway_ports": {
+        "image": "ubuntu:noble",
+        "features": {
+            "sshd": {
+                "gatewayPorts": "no"
+            }
+        }
+    },
+    "sshd_with_pinned_gateway_ports_clientspecified": {
+        "image": "ubuntu:noble",
+        "features": {
+            "sshd": {
+                "gatewayPorts": "clientspecified"
+            }
+        }
+    }                                                           
+}
diff --git a/test/sshd/sshd_with_default_gateway_ports.sh b/test/sshd/sshd_with_default_gateway_ports.sh
new file mode 100644
index 000000000..543074ad4
--- /dev/null
+++ b/test/sshd/sshd_with_default_gateway_ports.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -e
+
+# Optional: Import test library
+source dev-container-features-test-lib
+
+# Definition specific tests
+check "correct default GatewayPorts" grep "GatewayPorts no" /etc/ssh/sshd_config
+
+# Report result
+reportResults
\ No newline at end of file
diff --git a/test/sshd/sshd_with_pinned_gateway_ports_clientspecified.sh b/test/sshd/sshd_with_pinned_gateway_ports_clientspecified.sh
new file mode 100644
index 000000000..58b7cb730
--- /dev/null
+++ b/test/sshd/sshd_with_pinned_gateway_ports_clientspecified.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -e
+
+# Optional: Import test library
+source dev-container-features-test-lib
+
+# Definition specific tests
+check "correct default GatewayPorts" grep "GatewayPorts clientspecified" /etc/ssh/sshd_config
+
+# Report result
+reportResults
\ No newline at end of file