Hello, When a tun0 device is created with the below commands on the server: $ id sshuser uid=100(sshuser) gid=100(sshusers) groups=100(sshusers) $ ip tuntap add dev tun0 mode tun user sshuser group users $ ip link set dev tun0 up $ ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2 and ssh is started with this command from the client: $ ssh -NTC -w 0:0 -o Tunnel=point-to-point sshuser@<ip-address> The error message is: debug1: Remote: Failed to open the tunnel device. . . . channel 0: open failed: administratively prohibited: open failed debug1: channel 0: free: tun, nchannels 1 If the group of the tun0 device is changed from "users" to "sshusers", the above ssh connection works fine. Thanks Joe
Generally, the user connecting must have the right privileges/permissions to open the tun device. So the tunnel device could have the same group or the same user. This is completely expected and normal. I've added a note to the sshd_config manual page mentioning the need for the tunnel device to have appropriate permissions.
The user connecting through ssh (sshuser) is the owner of the device. The owner of the device has appropriate permissions on the device. Looks like the permissions are only being checked for the group and not the user.
OpenSSH 6.8 is approaching release and closed for major work. Retarget these bugs for the next release.
Retarget to 6.9
Could you please attach a debug log from the server so we can figure out what is going wrong?