On 24Feb2010 18:32, Andrew Haley <aph@xxxxxxxxxx> wrote: | On 02/24/2010 06:23 PM, Christoph Höger wrote: | > Am Mittwoch, den 24.02.2010, 15:57 +0000 schrieb Andrew Haley: | >> On 02/24/2010 02:41 PM, Christoph Höger wrote: | >>> are there any special client settings one needs to have for ssh | >>> tunneling? | >>> I have the classical setup: machines A1 and A2 (both fedora 12) should | >>> access C which is only accessible from B1 (kerberos) or B2 (private key) | >>> | >>> So on A1 I used to | >>> | >>> ssh -L 10080:C:80 B1 | >>> | >>> or | >>> | >>> ssh -L 10080:C:80 B2 | >>> | >>> Both work fine. | >>> | >>> But on A2: | >>> | >>> ssh -L 10080:C:80 B1/B2 | >>> | >>> logs me in to the machine but every connection attempt returns: | >>> | >>> channel 3: open failed: administratively prohibited: open failed | >>> | >>> Why? What kind of weird setting is this? | >> | >> Anything in the logs? Looks like a policy issue to me. | > | > What logs do you mean? This is a client issue. Does the ssh client write | > to local log files? | | No. I think it may be a SELinux policy issue. You also get this if the server end is locked down in the sshd_config or in the key in the authorized_keys file. It is perfectly possible to permit only specific port forwards at the server end. "man authorized_keys" has details. We do this routinely for batch tunnels and locked down remote access (eg for testers - let them ssh in, no shell, only specific port forwards to the service to test). -- Cameron Simpson <cs@xxxxxxxxxx> DoD#743 http://www.cskk.ezoshosting.com/cs/ Uh, this is only temporary...unless it works. - Red Green -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
