diff --git a/manpages/dropbear.8 b/manpages/dropbear.8
index ab3393ef..bdb2ea02 100644
--- a/manpages/dropbear.8
+++ b/manpages/dropbear.8
@@ -58,7 +58,7 @@ Enable two-factor authentication. Both password login and public key authenticat
 required. Should not be used with the '-s' option.
 .TP
 .B \-j
-Disable local port forwarding.
+Disable local port forwarding. This includes unix stream forwards.
 .TP
 .B \-k
 Disable remote port forwarding.
@@ -136,7 +136,7 @@ Available restrictions are:
 
 .TP
 .B no-port-forwarding
-Don't allow port forwarding for this connection
+Don't allow port forwarding for this connection, including unix streams.
 
 .TP
 .B no-agent-forwarding
diff --git a/src/svr-tcpfwd.c b/src/svr-tcpfwd.c
index adfdcd75..e6902ea9 100644
--- a/src/svr-tcpfwd.c
+++ b/src/svr-tcpfwd.c
@@ -346,6 +346,11 @@ static int newstreamlocal(struct Channel * channel) {
 
 	TRACE(("streamlocal channel %d", channel->index))
 
+	if (svr_opts.nolocaltcp || !svr_pubkey_allows_tcpfwd()) {
+		TRACE(("leave newstreamlocal: local unix forwarding disabled"))
+		goto out;
+	}
+
 	destsocket = buf_getstring(ses.payload, &len);
 	if (len > MAX_HOST_LEN) {
 		TRACE(("leave streamlocal: destsocket too long"))