Re: ssh tunneling and "channel 2: open failed: administratively prohibited: open failed"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2007-01-23 at 19:28 +0000, Jonathan Underwood wrote:
> Hi Rick,
> 
> On 23/01/07, Rick Sewill <rsewill@xxxxxxxxxxxx> wrote:
> 
> > When you ssh from machine A to machine B,
> > can you ssh from machine B to machine C?
> 
> Yes, I can.
> 
> >
> > It may not provide much information, but my next instinct would be to
> > turn on verbose mode, "man ssh"
> > ssh -v -v -v -p 8888 localhost
> 
> ssh -vvv -p 8888 localhost
> OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to localhost [::1] port 8888.
> debug1: Connection established.
> debug1: identity file /home/jgu/.ssh/identity type -1
> debug1: identity file /home/jgu/.ssh/id_rsa type -1
> debug1: identity file /home/jgu/.ssh/id_dsa type -1
> ssh_exchange_identification: Connection closed by remote host
> 
> and, also, if I start up the tunnel with -vvv, I get this each time I
> try to connect to port 8888 on the local host:
> 
> debug1: Connection to port 8888 forwarding to withnail.phys.ucl.ac.uk
> port 22 requested.
> debug2: fd 9 setting TCP_NODELAY
> debug2: fd 9 setting O_NONBLOCK
> debug3: fd 9 is O_NONBLOCK
> debug1: channel 3: new [direct-tcpip]
> channel 3: open failed: administratively prohibited: open failed
> debug1: channel 3: free: direct-tcpip: listening port 8888 for
> withnail.phys.ucl.ac.uk port 22, connect from ::1 port 36180,
> nchannels 4
> debug3: channel 3: status: The following connections are open:
>   #2 client-session (t4 r0 i0/0 o0/0 fd 6/7 cfd -1)
>   #3 direct-tcpip: listening port 8888 for withnail.phys.ucl.ac.uk
> port 22, connect from ::1 port 36180 (t3 r-1 i0/0 o0/0 fd 9/9 cfd -1)
> 
> debug3: channel 3: close_fds r 9 w 9 e -1 c -1
> debug1: Connection to port 8888 forwarding to withnail.phys.ucl.ac.uk
> port 22 requested.
> debug2: fd 9 setting TCP_NODELAY
> debug2: fd 9 setting O_NONBLOCK
> debug3: fd 9 is O_NONBLOCK
> debug1: channel 3: new [direct-tcpip]
> channel 3: open failed: administratively prohibited: open failed
> debug1: channel 3: free: direct-tcpip: listening port 8888 for
> withnail.phys.ucl.ac.uk port 22, connect from ::1 port 36181,
> nchannels 4
> debug3: channel 3: status: The following connections are open:
>   #2 client-session (t4 r0 i0/0 o0/0 fd 6/7 cfd -1)
>   #3 direct-tcpip: listening port 8888 for withnail.phys.ucl.ac.uk
> port 22, connect from ::1 port 36181 (t3 r-1 i0/0 o0/0 fd 9/9 cfd -1)
> 
> debug3: channel 3: close_fds r 9 w 9 e -1 c -1
> 
> Does that shed any light ?
> J.
> 

It says it is an administrative issue.  I am guessing authentication.

I have a long-shot guess...after trying some local tests here.
I have one user name, USERA, on machine A,
           user name, USERX, on machine B and machine C

I did the same (names of machines are different)
>From machine A> ssh -N -L 8080:C:22 B

>From machine A> ssh -p 8080 localhost  
     -- and it failed because my name on machine A is different 
        from my name on machine B and ssh on machine A was passing 
        the equivalent of "USERA@localhost"
When I did from machine A> ssh -p 8080 USERX@localhost
        I succeeded because machine C knew about and wanted USERX

Another possibility...when you connect from machine B to machine C,
do you have anything special in ~/.ssh/config file on machine B
that is not being triggered when you ssh through the tunnel?

I might as well ask if there is anything special in ~/.ssh/config file
on machine A that might be specifying something machine C does not
support.  Such things might be a certain kind of encryption or
compression or ....

Sorry I am not being as much help as I would like to be.

You may need to ask the administrator for machine C what is showing up
in the syslog.

-- 
Rick Sewill            tel:+1-218-287-1075 mailto:rsewill@xxxxxxxxxxxx
1028 7th St. N.                               mailto:rsewill@xxxxxxxxx
Moorhead, MN 56560-1568      ymsgr:rsewill   sip:628497@xxxxxxxxxxxxxx
U. S. A.               tel:+1-701-866-0266     xmpp:rsewill@xxxxxxxxxx


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux