diff --git a/ChangeLog b/ChangeLog
index f89e1b17c..1b5e78a42 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -13,6 +13,10 @@
      [PROTOCOL.certkeys]
      explain certificate extensions/crit split rationale. Mention requirement
      that each appear at most once per cert.
+   - dtucker@cvs.openbsd.org 2012/03/29 23:54:36
+     [channels.c channels.h servconf.c]
+     Add PermitOpen none option based on patch from Loganaden Velvindron
+     (bz #1949).  ok djm@
 
 20120420
  - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
diff --git a/channels.c b/channels.c
index f6e9b4d8c..e5783b197 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.315 2011/09/23 07:45:05 markus Exp $ */
+/* $OpenBSD: channels.c,v 1.316 2012/03/29 23:54:36 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -3126,6 +3126,17 @@ channel_add_adm_permitted_opens(char *host, int port)
 	return ++num_adm_permitted_opens;
 }
 
+void
+channel_disable_adm_local_opens(void)
+{
+	if (num_adm_permitted_opens == 0) {
+		permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens));
+		permitted_adm_opens[num_adm_permitted_opens].host_to_connect
+		   = NULL;
+		num_adm_permitted_opens = 1;
+	}
+}
+
 void
 channel_clear_permitted_opens(void)
 {
@@ -3167,7 +3178,9 @@ channel_print_adm_permitted_opens(void)
 		return;
 	}
 	for (i = 0; i < num_adm_permitted_opens; i++)
-		if (permitted_adm_opens[i].host_to_connect != NULL)
+		if (permitted_adm_opens[i].host_to_connect == NULL)
+			printf(" none");
+		else
 			printf(" %s:%d", permitted_adm_opens[i].host_to_connect,
 			    permitted_adm_opens[i].port_to_connect);
 	printf("\n");
diff --git a/channels.h b/channels.h
index c1f01c48b..6ed1ce00c 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.h,v 1.109 2011/09/23 07:45:05 markus Exp $ */
+/* $OpenBSD: channels.h,v 1.110 2012/03/29 23:54:36 dtucker Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -253,6 +253,7 @@ void	 channel_set_af(int af);
 void     channel_permit_all_opens(void);
 void	 channel_add_permitted_opens(char *, int);
 int	 channel_add_adm_permitted_opens(char *, int);
+void	 channel_disable_adm_local_opens(void);
 void	 channel_update_permitted_opens(int, int);
 void	 channel_clear_permitted_opens(void);
 void	 channel_clear_adm_permitted_opens(void);
diff --git a/servconf.c b/servconf.c
index 8ec5ca0e6..6de77164e 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.223 2011/09/23 00:22:04 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.224 2012/03/29 23:54:36 dtucker Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -1333,6 +1333,14 @@ process_server_config_line(ServerOptions *options, char *line,
 			}
 			break;
 		}
+		if (strcmp(arg, "none") == 0) {
+			if (*activep && n == -1) {
+				channel_clear_adm_permitted_opens();
+				options->num_permitted_opens = 1;
+				channel_disable_adm_local_opens();
+			}
+			break;
+		}
 		if (*activep && n == -1)
 			channel_clear_adm_permitted_opens();
 		for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {