ssh tunneling and "channel 2: open failed: administratively prohibited: open failed"

Jonathan Underwood jonathan.underwood at gmail.com
Tue Jan 23 20:56:23 UTC 2007


On 23/01/07, Rick Sewill <rsewill at cableone.net> wrote:
> It says it is an administrative issue.  I am guessing authentication.
>
> I have a long-shot guess...after trying some local tests here.
> I have one user name, USERA, on machine A,
>            user name, USERX, on machine B and machine C
>
> I did the same (names of machines are different)
> >From machine A> ssh -N -L 8080:C:22 B
>
> >From machine A> ssh -p 8080 localhost
>      -- and it failed because my name on machine A is different
>         from my name on machine B and ssh on machine A was passing
>         the equivalent of "USERA at localhost"
> When I did from machine A> ssh -p 8080 USERX at localhost
>         I succeeded because machine C knew about and wanted USERX
>

My usernames on machines A and C are the same, and different to the
username on machine B. So, I tried this suggestion, to no avail --
same general result I'm afraid.


> Another possibility...when you connect from machine B to machine C,
> do you have anything special in ~/.ssh/config file on machine B
> that is not being triggered when you ssh through the tunnel?
>

I checked, and there's nothing in my .ssh/config files on any of the
machines. Machines A and C are freshly installed FC6 boxes, identical
(actually, I have even tried using the same machine as machine A and
C), and machine B is a sun machine with a clean account. Machine B is
the one not under my control.

> I might as well ask if there is anything special in ~/.ssh/config file
> on machine A that might be specifying something machine C does not
> support.  Such things might be a certain kind of encryption or
> compression or ....
>

Nope, nothing like that.

> Sorry I am not being as much help as I would like to be.
>

No need for apologies - you've been incredibly helpful with your
suggestions, as I feel more confident I've ruled everything else out,
and it must be that TCPForwarding on the box in the middle (B) is
disallowed.

> You may need to ask the administrator for machine C what is showing up
> in the syslog.
>

That's me :) There's nothing in the logs that gives a clue - I think
the logs on machine B would be more interesting, but those are not
available to me :).

Thanks again Rick.
Jonathan.




More information about the users mailing list