[Bug 2674] New: [CONFIRMED] channel 4: open failed: administratively prohibited: open failed

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Jan 30 21:04:47 AEDT 2017 

https://bugzilla.mindrot.org/show_bug.cgi?id=2674

            Bug ID: 2674
           Summary: [CONFIRMED] channel 4: open failed: administratively
                    prohibited: open failed
           Product: Portable OpenSSH
           Version: 7.4p1
          Hardware: Other
                OS: OpenBSD
            Status: NEW
          Severity: minor
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jirib at devio.us

Hi,

this is bug for an issue which was discussed on misc at openbsd.org[1] and
where dtucker@ also provided a diff[2] which I confirmed as solving the
issue but I was also asking another question[3].

[1] https://marc.info/?t=147992627400001&r=1&w=2
[2] https://marc.info/?l=openbsd-misc&m=147996293922202&w=2
[3] https://marc.info/?l=openbsd-misc&m=148045752905570&w=2

j.

--------------------->%-------------------------------

I was using ssh socks5 tunnel (-D9999) today and I saw many:

  channel 4: open failed: administratively prohibited: open failed

messages. It seems non-resolvable hostnames on my gw (ie. end of ssh
socks5 tunnel) is passed to client as "prohibited" event.

This seems odd and confusing. GW is an older 6.0-current amd64.

j.

Firefox with SOCKS5 tunnel (ssh -D9999 $gw). Than I opened an url,
ie. wiki.brq.example.com:

~~~
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug2: fd 11 setting TCP_NODELAY
debug3: fd 11 is O_NONBLOCK
debug3: fd 11 is O_NONBLOCK
debug1: channel 4: new [dynamic-tcpip]
debug2: channel 4: pre_dynamic: have 0
debug2: channel 4: pre_dynamic: have 3
debug2: channel 4: decode socks5
debug2: channel 4: socks5 auth done
debug2: channel 4: pre_dynamic: need more
debug2: channel 4: pre_dynamic: have 0
debug2: channel 4: pre_dynamic: have 26
debug2: channel 4: decode socks5
debug2: channel 4: socks5 post auth
debug2: channel 4: dynamic request: socks5 host wiki.brq.example.com
port 80 command \
                1
debug3: send packet: type 90
debug3: receive packet: type 92
channel 4: open failed: administratively prohibited: open failed
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
debug2: channel 4: zombie
debug2: channel 4: garbage collecting
debug1: channel 4: free: direct-tcpip: listening port 9999 for
wiki.brq.example.com \
                port 80, connect from 127.0.0.1 port 30421 to 127.0.0.1
port 9999, \
                nchannels 5
debug3: channel 4: status: The following connections are open:
  #2 client-session (t4 r0 i0/0 o0/0 fd 7/8 cc -1)
  #3 direct-tcpip: listening port 9999 for www.google.com port 443,
connect from \
127.0.0.1 port 24731 to 127.0.0.1 port 9999 (t4 r1 i0/0 o0/0 fd 10/10
cc -1) ~~~

part of auth.log:

~~~
Nov 23 19:24:04 gw sshd[20891]: error: connect_to wiki.brq.example.com:
unknown host \
                (no address associated with name)
                               
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
~~~

my sshd_config part:

~~~
Match Address
192.168.1.0/24,192.168.2.0/24,192.168.254.0/24,2xx.0.0.0/8,2001:470:xxxx
\
::/64 User jirib  PasswordAuthentication no
      AuthenticationMethods publickey
      AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
      AllowTcpForwarding yes
      PermitTunnel yes
      AllowAgentForwarding yes
      GatewayPorts yes
      X11Forwarding yes
~~~
-----------------------<%-------------------------------

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list