[clug] Why is my SSH port forwarding failing all of a sudden?

Chris Smart clug at christophersmart.com
Tue Feb 2 13:37:41 UTC 2016

On 02/02/16 22:31, Tony Lewis wrote:
> On 02/02/16 22:18, Chris Smart wrote:
>> This looks like you're sshing to localhost on port 55554, is that what
>> is supposed to happen when you ssh to "remotehost?" Did you point the
>> remotehost to localhost in /etc/hosts or something?
> Sorry for the obfuscation.
> There are three machines  concerned: client, tunnel and server.
> The client ssh (Cygwin) has a config like this:
> Host tunnel
>   HostName tunnel.fqdn
>   Port 12345
>   User tunnel
>   LocalForward 55554 server.local:22
> Host serverlocal
>   HostName localhost
>   Port 55554
> so I can "ssh -N tunnel" which translates to "ssh -p 12345 -L
> 55554:server.local:22 tunnel at tunnel.fqdn"
> And once the tunnel is established I can "ssh user at serverlocal" which
> translates to "ssh -p 55554 localhost", which should tunnel through the
> established connection to tunnel.fqdn and establish a connection to what
> the tunnel server knows as server.local
> The config file is just to enable me to give shorthand names to mappings.

Yep, OK so all that looks good to me. Sorry for the confusion.

On 01/02/16 21:46, Tony Lewis wrote:
> The problem is at the tunnel server.  In /var/log/auth.log I see:
>     Received request to connect to host blah.domain port 22, but the
> request was denied.

OK, going back to your original log line, that seems to come from this
part of the source:

[00:26 chris ~/code/openssh-portable (V_7_1_P2)]$ git grep "request to
connect to"
channels.c:             logit("Received request to connect to host
%.100s port %d, "
channels.c:             logit("Received request to connect to path %.100s, "

Which looking at the channel_connect_to_path function appears to be
about checking to see if the remote server and port you're trying to
connect to is permitted.

> Googlage indicates proposed solutions that involve enabling port
> forwarding.  But I have no AllowTcpForwarding directive, and the
default is "yes".

If it was a TCPForwarding deny you should probably see this in the logs
refused local port forward: <details>

> There are no PermitOpen directives (though I tried them) and
> the result is the same with or without the PermitTunnel directive.

I know that you said you tried it, but I'm actually leaning towards
PermitOpen option in your remote server's sshd_config file.. that would
seem to make sense with the log error you're getting.

On the remote server, can you add this option then restart sshd:
PermitOpen any

Then try your ssh tunnel again and tail the audit.log.

Then ssh serverlocal

You could also try:
PermitOpen "server.local:22"

Fingers crossed!


 ^ ^

More information about the linux mailing list