ssh tunneling client settings
Cameron Simpson
cs at zip.com.au
Thu Feb 25 02:47:41 UTC 2010
On 24Feb2010 18:32, Andrew Haley <aph at redhat.com> wrote:
| On 02/24/2010 06:23 PM, Christoph Höger wrote:
| > Am Mittwoch, den 24.02.2010, 15:57 +0000 schrieb Andrew Haley:
| >> On 02/24/2010 02:41 PM, Christoph Höger wrote:
| >>> are there any special client settings one needs to have for ssh
| >>> tunneling?
| >>> I have the classical setup: machines A1 and A2 (both fedora 12) should
| >>> access C which is only accessible from B1 (kerberos) or B2 (private key)
| >>>
| >>> So on A1 I used to
| >>>
| >>> ssh -L 10080:C:80 B1
| >>>
| >>> or
| >>>
| >>> ssh -L 10080:C:80 B2
| >>>
| >>> Both work fine.
| >>>
| >>> But on A2:
| >>>
| >>> ssh -L 10080:C:80 B1/B2
| >>>
| >>> logs me in to the machine but every connection attempt returns:
| >>>
| >>> channel 3: open failed: administratively prohibited: open failed
| >>>
| >>> Why? What kind of weird setting is this?
| >>
| >> Anything in the logs? Looks like a policy issue to me.
| >
| > What logs do you mean? This is a client issue. Does the ssh client write
| > to local log files?
|
| No. I think it may be a SELinux policy issue.
You also get this if the server end is locked down in the sshd_config or
in the key in the authorized_keys file. It is perfectly possible to
permit only specific port forwards at the server end. "man
authorized_keys" has details. We do this routinely for batch tunnels and
locked down remote access (eg for testers - let them ssh in, no shell,
only specific port forwards to the service to test).
--
Cameron Simpson <cs at zip.com.au> DoD#743
http://www.cskk.ezoshosting.com/cs/
Uh, this is only temporary...unless it works. - Red Green
More information about the users
mailing list