FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 02-24-2010, 05:23 PM
Christoph Höger
 
Default ssh tunneling client settings

Am Mittwoch, den 24.02.2010, 15:57 +0000 schrieb Andrew Haley:
> On 02/24/2010 02:41 PM, Christoph Höger wrote:
> > Hi guys,
> >
> > are there any special client settings one needs to have for ssh
> > tunneling?
> >
> > I have the classical setup: machines A1 and A2 (both fedora 12) should
> > access C which is only accessible from B1 (kerberos) or B2 (private key)
> >
> > So on A1 I used to
> >
> > ssh -L 10080:C:80 B1
> >
> > or
> >
> > ssh -L 10080:C:80 B2
> >
> > Both work fine.
> >
> > But on A2:
> >
> > ssh -L 10080:C:80 B1/B2
> >
> > logs me in to the machine but every connection attempt returns:
> >
> > channel 3: open failed: administratively prohibited: open failed
> >
> > Why? What kind of weird setting is this?
>
> Anything in the logs? Looks like a policy issue to me.

What logs do you mean? This is a client issue. Does the ssh client write
to local log files?
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-24-2010, 05:28 PM
Christoph Höger
 
Default ssh tunneling client settings

Am Mittwoch, den 24.02.2010, 19:23 +0100 schrieb Christoph Höger:
> Am Mittwoch, den 24.02.2010, 15:57 +0000 schrieb Andrew Haley:
> > On 02/24/2010 02:41 PM, Christoph Höger wrote:
> > > Hi guys,
> > >
> > > are there any special client settings one needs to have for ssh
> > > tunneling?
> > >
> > > I have the classical setup: machines A1 and A2 (both fedora 12) should
> > > access C which is only accessible from B1 (kerberos) or B2 (private key)
> > >
> > > So on A1 I used to
> > >
> > > ssh -L 10080:C:80 B1
> > >
> > > or
> > >
> > > ssh -L 10080:C:80 B2
> > >
> > > Both work fine.
> > >
> > > But on A2:
> > >
> > > ssh -L 10080:C:80 B1/B2
> > >
> > > logs me in to the machine but every connection attempt returns:
> > >
> > > channel 3: open failed: administratively prohibited: open failed
> > >
> > > Why? What kind of weird setting is this?
> >
> > Anything in the logs? Looks like a policy issue to me.
>
> What logs do you mean? This is a client issue. Does the ssh client write
> to local log files?

Nvermind. Just found out that I had a typo in the Host URI.

Somehow I'd expected to get an unknown host message, though ...
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-24-2010, 05:32 PM
Andrew Haley
 
Default ssh tunneling client settings

On 02/24/2010 06:23 PM, Christoph Höger wrote:
> Am Mittwoch, den 24.02.2010, 15:57 +0000 schrieb Andrew Haley:
>> On 02/24/2010 02:41 PM, Christoph Höger wrote:
>>> Hi guys,
>>>
>>> are there any special client settings one needs to have for ssh
>>> tunneling?
>>>
>>> I have the classical setup: machines A1 and A2 (both fedora 12) should
>>> access C which is only accessible from B1 (kerberos) or B2 (private key)
>>>
>>> So on A1 I used to
>>>
>>> ssh -L 10080:C:80 B1
>>>
>>> or
>>>
>>> ssh -L 10080:C:80 B2
>>>
>>> Both work fine.
>>>
>>> But on A2:
>>>
>>> ssh -L 10080:C:80 B1/B2
>>>
>>> logs me in to the machine but every connection attempt returns:
>>>
>>> channel 3: open failed: administratively prohibited: open failed
>>>
>>> Why? What kind of weird setting is this?
>>
>> Anything in the logs? Looks like a policy issue to me.
>
> What logs do you mean? This is a client issue. Does the ssh client write
> to local log files?

No. I think it may be a SELinux policy issue.

See if anything is logged in any of the log files when you get this
message.

Also, make very sure that AllowTcpForwarding is set in sshd_config

Make sure no-one else has this port open.

Check the addresses.

Andrew.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-24-2010, 05:41 PM
Daniel J Walsh
 
Default ssh tunneling client settings

On 02/24/2010 01:32 PM, Andrew Haley wrote:
> On 02/24/2010 06:23 PM, Christoph Höger wrote:
>
>> Am Mittwoch, den 24.02.2010, 15:57 +0000 schrieb Andrew Haley:
>>
>>> On 02/24/2010 02:41 PM, Christoph Höger wrote:
>>>
>>>> Hi guys,
>>>>
>>>> are there any special client settings one needs to have for ssh
>>>> tunneling?
>>>>
>>>> I have the classical setup: machines A1 and A2 (both fedora 12) should
>>>> access C which is only accessible from B1 (kerberos) or B2 (private key)
>>>>
>>>> So on A1 I used to
>>>>
>>>> ssh -L 10080:C:80 B1
>>>>
>>>> or
>>>>
>>>> ssh -L 10080:C:80 B2
>>>>
>>>> Both work fine.
>>>>
>>>> But on A2:
>>>>
>>>> ssh -L 10080:C:80 B1/B2
>>>>
>>>> logs me in to the machine but every connection attempt returns:
>>>>
>>>> channel 3: open failed: administratively prohibited: open failed
>>>>
>>>> Why? What kind of weird setting is this?
>>>>
>>> Anything in the logs? Looks like a policy issue to me.
>>>
>> What logs do you mean? This is a client issue. Does the ssh client write
>> to local log files?
>>
> No. I think it may be a SELinux policy issue.
>
> See if anything is logged in any of the log files when you get this
> message.
>
> Also, make very sure that AllowTcpForwarding is set in sshd_config
>
> Make sure no-one else has this port open.
>
> Check the addresses.
>
> Andrew.
>
What version
rpm -q selinux-policy
ausearch -m avc -ts recent

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-25-2010, 01:47 AM
Cameron Simpson
 
Default ssh tunneling client settings

On 24Feb2010 18:32, Andrew Haley <aph@redhat.com> wrote:
| On 02/24/2010 06:23 PM, Christoph Höger wrote:
| > Am Mittwoch, den 24.02.2010, 15:57 +0000 schrieb Andrew Haley:
| >> On 02/24/2010 02:41 PM, Christoph Höger wrote:
| >>> are there any special client settings one needs to have for ssh
| >>> tunneling?
| >>> I have the classical setup: machines A1 and A2 (both fedora 12) should
| >>> access C which is only accessible from B1 (kerberos) or B2 (private key)
| >>>
| >>> So on A1 I used to
| >>>
| >>> ssh -L 10080:C:80 B1
| >>>
| >>> or
| >>>
| >>> ssh -L 10080:C:80 B2
| >>>
| >>> Both work fine.
| >>>
| >>> But on A2:
| >>>
| >>> ssh -L 10080:C:80 B1/B2
| >>>
| >>> logs me in to the machine but every connection attempt returns:
| >>>
| >>> channel 3: open failed: administratively prohibited: open failed
| >>>
| >>> Why? What kind of weird setting is this?
| >>
| >> Anything in the logs? Looks like a policy issue to me.
| >
| > What logs do you mean? This is a client issue. Does the ssh client write
| > to local log files?
|
| No. I think it may be a SELinux policy issue.

You also get this if the server end is locked down in the sshd_config or
in the key in the authorized_keys file. It is perfectly possible to
permit only specific port forwards at the server end. "man
authorized_keys" has details. We do this routinely for batch tunnels and
locked down remote access (eg for testers - let them ssh in, no shell,
only specific port forwards to the service to test).
--
Cameron Simpson <cs@zip.com.au> DoD#743
http://www.cskk.ezoshosting.com/cs/

Uh, this is only temporary...unless it works. - Red Green
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 12:41 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org