[clug] Why is my SSH port forwarding failing all of a sudden?

Tony Lewis tony at lewistribe.com
Wed Feb 3 02:25:31 UTC 2016

On 3/02/2016 12:37 AM, Chris Smart wrote:
> On 01/02/16 21:46, Tony Lewis wrote:
>> The problem is at the tunnel server.  In /var/log/auth.log I see:
>>      Received request to connect to host blah.domain port 22, but the
>> request was denied.
> OK, going back to your original log line, that seems to come from this
> part of the source:
> [00:26 chris ~/code/openssh-portable (V_7_1_P2)]$ git grep "request to
> connect to"
> channels.c:             logit("Received request to connect to host
> %.100s port %d, "
> channels.c:             logit("Received request to connect to path %.100s, "
> Which looking at the channel_connect_to_path function appears to be
> about checking to see if the remote server and port you're trying to
> connect to is permitted.
>> There are no PermitOpen directives (though I tried them) and
>> the result is the same with or without the PermitTunnel directive.
> I know that you said you tried it, but I'm actually leaning towards
> PermitOpen option in your remote server's sshd_config file.. that would
> seem to make sense with the log error you're getting.
> On the remote server, can you add this option then restart sshd:
> PermitOpen any
> Then try your ssh tunnel again and tail the audit.log.
> Then ssh serverlocal
> You could also try:
> PermitOpen "server.local:22"
> Fingers crossed!

Did all of that, and still no love.  Nothing new in behaviour, but just 
to sum it up...

The client running "ssh user at serverlocal" says:
     ssh_exchange_identification: read: Connection reset by peer
The client end of the terminal reports on the console:
     debug1: Connection to port 55554 forwarding to port 22 
     debug2: fd 16 setting TCP_NODELAY
     debug1: channel 12: new [direct-tcpip]
     channel 12: open failed: administratively prohibited: open failed
     debug2: channel 12: zombie
     debug2: channel 12: garbage collecting
     debug1: channel 12: free: direct-tcpip: listening port 55554 for port 22, connect from port 58315 to port 
55554, nchannels 13
auth.log on the server reports:
     sshd[731713]: Received request to connect to host port 22, 
but the request was denied.

Further sanity checks:
  * I am sure sshd is restarting, because I tried stopping, then 
connecting the tunnel, and it failed.  Restart sshd and then the tunnel 
command would work
  * I am sure it's not an SSH thing for the client.  Attempting to make 
a TCP connection "socat - TCP:localhost:55554" (similar to "telnet 
localhost 55554") shows the session being terminated gracefully, and 
causes a similar error.  I verified that if I do connect to a working 
SSH server with socat, I get an OpenSSH banner message
  * I tried it from a linux client (was Cygwin up until then).  Both 
client and (tunnel) server were the same Debian and same package version 
of openssh-server, openssh-client: 1:6.0p1-4+deb7u3.

So it's more evidence that the problem is with the tunnel server. But 
this has been working fine up until a few days ago.  The only change to 
the server, relating to a new ISP, is that it's no longer the PPPOE 
server: it's external interface is still a private IP address, and the 
modem now does the NATting.  I struggle to see how this might impact it, 

Thanks for all responses so far.


The tunnel server says on the console:

> -c

More information about the linux mailing list