Home / server / Questions / 535412
Accepted
AGamePlayer
Asked: 2013-09-01 20:34:18 +0800 CST

how to solve the "open failed: administratively prohibited: open failed" when using a SSH tunnel proxy

  • 772

I've been using SSH tunnel for a while on Windows (using Putty).

On Windows with putty, it is always fine, but on mac or cygwin, it sometimes prompts the warning message:

open failed: administratively prohibited: open failed

ssh-tunnel

5 Answers

  1. Best Answer

    I believe you have disabled TCP forwarding on the server. In your server /etc/ssh/sshd_config make sure that the following line is either not present or commented, otherwise comment it.

    AllowTcpForwarding no
    • 25

  2. There is a broader discussion of this error with SSH tunnels on Unix StackExchange. In a nutshell, this is a non-specific error; there are numerous possibilities that should be explored.

    • 8

  3. Just for posterity, even if it isn't useful to you specifically

    The errors are put to your console via stderr, so if you just want to ignore them, adding 2>/dev/null to the end of your ssh call will work perfectly. E.g.:

    ssh -C -D 3210 example@connexion 2>/dev/null

    This is useful if the proxy tunnel is actually working fine, but you just dont want to see the errors.

    In my case; the machine I'm tunnelling to isn't mine, so I can't modify the sshd_config (not that that was your issue) and I also use the same connexion for the shell. Having those error messages write into my console during an open vim window makes the display act up quite annoyingly.

    • 2

  4. If the sshd config already has all the options to enable port forwarding, but you still get this issue, check /var/log/secure for something like this - sshd: error: connect_to XXX: unknown host (Name or service not known)

    If the ssh host is unable to resolve the host that you want to tunnel to, it will give back the generic error unable to open channel.

    Double check you tunnel hostname or DNS resolution on ssh server.

    • 2

  5. open failed: administratively prohibited: open failed

    This means the SSH service (on the remote server) is not allowing SSH agent forwarding (AllowAgentForwarding no).

    If you cannot change the configuration on the remote server, you can still ssh to one server, then to another one.

    Normally you could use ProxyJump option in your .ssh/config, but in this case you cannot.

    You can try to forcibly disable forwarding agent on your client (ForwardAgent no), which probably won't work.

    Assuming you want to ssh to Y server via X, then as for the workaround, you can define the following section in SSH config file:

    Host remotehost
  ForwardAgent no
  HostName 192.168.X.IP
  RemoteCommand ssh 192.168.Y.IP
  RequestTTY yes

    Once loaded, then you can simply run: ssh remotehost.

    • 0