[clug] Why is my SSH port forwarding failing all of a sudden?
tony at lewistribe.com
Wed Feb 3 02:25:31 UTC 2016
On 3/02/2016 12:37 AM, Chris Smart wrote:
> On 01/02/16 21:46, Tony Lewis wrote:
>> The problem is at the tunnel server. In /var/log/auth.log I see:
>> Received request to connect to host blah.domain port 22, but the
>> request was denied.
> OK, going back to your original log line, that seems to come from this
> part of the source:
> [00:26 chris ~/code/openssh-portable (V_7_1_P2)]$ git grep "request to
> connect to"
> channels.c: logit("Received request to connect to host
> %.100s port %d, "
> channels.c: logit("Received request to connect to path %.100s, "
> Which looking at the channel_connect_to_path function appears to be
> about checking to see if the remote server and port you're trying to
> connect to is permitted.
>> There are no PermitOpen directives (though I tried them) and
>> the result is the same with or without the PermitTunnel directive.
> I know that you said you tried it, but I'm actually leaning towards
> PermitOpen option in your remote server's sshd_config file.. that would
> seem to make sense with the log error you're getting.
> On the remote server, can you add this option then restart sshd:
> PermitOpen any
> Then try your ssh tunnel again and tail the audit.log.
> Then ssh serverlocal
> You could also try:
> PermitOpen "server.local:22"
> Fingers crossed!
Did all of that, and still no love. Nothing new in behaviour, but just
to sum it up...
The client running "ssh user at serverlocal" says:
ssh_exchange_identification: read: Connection reset by peer
The client end of the terminal reports on the console:
debug1: Connection to port 55554 forwarding to 184.108.40.206 port 22
debug2: fd 16 setting TCP_NODELAY
debug1: channel 12: new [direct-tcpip]
channel 12: open failed: administratively prohibited: open failed
debug2: channel 12: zombie
debug2: channel 12: garbage collecting
debug1: channel 12: free: direct-tcpip: listening port 55554 for
220.127.116.11 port 22, connect from 127.0.0.1 port 58315 to 127.0.0.1 port
55554, nchannels 13
auth.log on the server reports:
sshd: Received request to connect to host 18.104.22.168 port 22,
but the request was denied.
Further sanity checks:
* I am sure sshd is restarting, because I tried stopping, then
connecting the tunnel, and it failed. Restart sshd and then the tunnel
command would work
* I am sure it's not an SSH thing for the client. Attempting to make
a TCP connection "socat - TCP:localhost:55554" (similar to "telnet
localhost 55554") shows the session being terminated gracefully, and
causes a similar error. I verified that if I do connect to a working
SSH server with socat, I get an OpenSSH banner message
* I tried it from a linux client (was Cygwin up until then). Both
client and (tunnel) server were the same Debian and same package version
of openssh-server, openssh-client: 1:6.0p1-4+deb7u3.
So it's more evidence that the problem is with the tunnel server. But
this has been working fine up until a few days ago. The only change to
the server, relating to a new ISP, is that it's no longer the PPPOE
server: it's external interface is still a private IP address, and the
modem now does the NATting. I struggle to see how this might impact it,
Thanks for all responses so far.
The tunnel server says on the console:
More information about the linux