[clug] Why is my SSH port forwarding failing all of a sudden?

Bob Edwards bob at cs.anu.edu.au
Tue Feb 2 03:54:11 UTC 2016


On 01/02/16 21:46, Tony Lewis wrote:
> Hi all,
>
> I SSH to my server, and use local port forwarding to reach in to other
> servers.  It was working a treat until today.
>
> Nothing changed on the server or client configs, though the clients
> (Cygwin) did upgrade from
>      OpenSSH_7.1p1, OpenSSL 1.0.2d (XX) Aug 2015
> to
>      OpenSSH_7.1p2, OpenSSL 1.0.2f 28 Jan 2016
>
> I tried downgrading but can't go back to earlier than OpenSSH 1.0.2e.  I
> am having the same problem on my Linux desktop also.
>
> The problem is at the tunnel server.  In /var/log/auth.log I see:
>      Received request to connect to host blah.domain port 22, but the
> request was denied.
>
> Googlage indicates proposed solutions that involve enabling port
> forwarding.  But I have no AllowTcpForwarding directive, and the default
> is "yes".  There are no PermitOpen directives (though I tried them) and
> the result is the same with or without the PermitTunnel directive.
>
> The authorized_keys file contains only keys, no restrictions (e.g. no
> force-command).
>
> I know the problem is with the server, because it makes no attempt on
> the network to establish a connection to my destination server.
> Something in the server is administratively blocking my port forwarding.
>
> The server is Debian Wheezy.
>
> # dpkg -l | grep ssh
> ...
> ii  openssh-client 1:6.0p1-4+deb7u3                   amd64 secure shell
> (SSH) client, for secure access to remote machines
> ii  openssh-server 1:6.0p1-4+deb7u3                   amd64 secure shell
> (SSH) server, for secure access from remote machines
>
> Any clues?
>
> Tony

My suggestion would be to overlook the documented "default" behaviour
for the AllowTcpForwarding directive, and set it explicitly to "yes".
Then don't forget to properly restart the SSH daemon - sometimes
/etc/init.d/ssh restart doesn't actually do anything... On Jessie, I
usually have to use "systemctl restart ssh".

cheers,

Bob Edwards.



More information about the linux mailing list