[Bug 2674] New: [CONFIRMED] channel 4: open failed: administratively prohibited: open failed
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Mon Jan 30 21:04:47 AEDT 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2674
Bug ID: 2674
Summary: [CONFIRMED] channel 4: open failed: administratively
prohibited: open failed
Product: Portable OpenSSH
Version: 7.4p1
Hardware: Other
OS: OpenBSD
Status: NEW
Severity: minor
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: jirib at devio.us
Hi,
this is bug for an issue which was discussed on misc at openbsd.org[1] and
where dtucker@ also provided a diff[2] which I confirmed as solving the
issue but I was also asking another question[3].
[1] https://marc.info/?t=147992627400001&r=1&w=2
[2] https://marc.info/?l=openbsd-misc&m=147996293922202&w=2
[3] https://marc.info/?l=openbsd-misc&m=148045752905570&w=2
j.
--------------------->%-------------------------------
I was using ssh socks5 tunnel (-D9999) today and I saw many:
channel 4: open failed: administratively prohibited: open failed
messages. It seems non-resolvable hostnames on my gw (ie. end of ssh
socks5 tunnel) is passed to client as "prohibited" event.
This seems odd and confusing. GW is an older 6.0-current amd64.
j.
Firefox with SOCKS5 tunnel (ssh -D9999 $gw). Than I opened an url,
ie. wiki.brq.example.com:
~~~
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug2: fd 11 setting TCP_NODELAY
debug3: fd 11 is O_NONBLOCK
debug3: fd 11 is O_NONBLOCK
debug1: channel 4: new [dynamic-tcpip]
debug2: channel 4: pre_dynamic: have 0
debug2: channel 4: pre_dynamic: have 3
debug2: channel 4: decode socks5
debug2: channel 4: socks5 auth done
debug2: channel 4: pre_dynamic: need more
debug2: channel 4: pre_dynamic: have 0
debug2: channel 4: pre_dynamic: have 26
debug2: channel 4: decode socks5
debug2: channel 4: socks5 post auth
debug2: channel 4: dynamic request: socks5 host wiki.brq.example.com
port 80 command \
1
debug3: send packet: type 90
debug3: receive packet: type 92
channel 4: open failed: administratively prohibited: open failed
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
debug2: channel 4: zombie
debug2: channel 4: garbage collecting
debug1: channel 4: free: direct-tcpip: listening port 9999 for
wiki.brq.example.com \
port 80, connect from 127.0.0.1 port 30421 to 127.0.0.1
port 9999, \
nchannels 5
debug3: channel 4: status: The following connections are open:
#2 client-session (t4 r0 i0/0 o0/0 fd 7/8 cc -1)
#3 direct-tcpip: listening port 9999 for www.google.com port 443,
connect from \
127.0.0.1 port 24731 to 127.0.0.1 port 9999 (t4 r1 i0/0 o0/0 fd 10/10
cc -1) ~~~
part of auth.log:
~~~
Nov 23 19:24:04 gw sshd[20891]: error: connect_to wiki.brq.example.com:
unknown host \
(no address associated with name)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
~~~
my sshd_config part:
~~~
Match Address
192.168.1.0/24,192.168.2.0/24,192.168.254.0/24,2xx.0.0.0/8,2001:470:xxxx
\
::/64 User jirib PasswordAuthentication no
AuthenticationMethods publickey
AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
AllowTcpForwarding yes
PermitTunnel yes
AllowAgentForwarding yes
GatewayPorts yes
X11Forwarding yes
~~~
-----------------------<%-------------------------------
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list