Bug 2674 - [CONFIRMED] channel 4: open failed: administratively prohibited: open failed
Summary: [CONFIRMED] channel 4: open failed: administratively prohibited: open failed
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 7.4p1
Hardware: Other OpenBSD
: P5 minor
Assignee: Assigned to nobody
URL:
Keywords: patch
: 2770 (view as bug list)
Depends on:
Blocks: V_7_5
  Show dependency treegraph
 
Reported: 2017-01-30 21:04 AEDT by jirib
Modified: 2018-04-06 12:26 AEST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description jirib 2017-01-30 21:04:47 AEDT 
Hi,

this is bug for an issue which was discussed on misc@openbsd.org[1] and where dtucker@ also provided a diff[2] which I confirmed as solving the issue but I was also asking another question[3].

[1] https://marc.info/?t=147992627400001&r=1&w=2
[2] https://marc.info/?l=openbsd-misc&m=147996293922202&w=2
[3] https://marc.info/?l=openbsd-misc&m=148045752905570&w=2

j.

--------------------->%-------------------------------

I was using ssh socks5 tunnel (-D9999) today and I saw many:

  channel 4: open failed: administratively prohibited: open failed

messages. It seems non-resolvable hostnames on my gw (ie. end of ssh
socks5 tunnel) is passed to client as "prohibited" event.

This seems odd and confusing. GW is an older 6.0-current amd64.

j.

Firefox with SOCKS5 tunnel (ssh -D9999 $gw). Than I opened an url,
ie. wiki.brq.example.com:

~~~
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug2: fd 11 setting TCP_NODELAY
debug3: fd 11 is O_NONBLOCK
debug3: fd 11 is O_NONBLOCK
debug1: channel 4: new [dynamic-tcpip]
debug2: channel 4: pre_dynamic: have 0
debug2: channel 4: pre_dynamic: have 3
debug2: channel 4: decode socks5
debug2: channel 4: socks5 auth done
debug2: channel 4: pre_dynamic: need more
debug2: channel 4: pre_dynamic: have 0
debug2: channel 4: pre_dynamic: have 26
debug2: channel 4: decode socks5
debug2: channel 4: socks5 post auth
debug2: channel 4: dynamic request: socks5 host wiki.brq.example.com port 80 command \
                1
debug3: send packet: type 90
debug3: receive packet: type 92
channel 4: open failed: administratively prohibited: open failed
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
debug2: channel 4: zombie
debug2: channel 4: garbage collecting
debug1: channel 4: free: direct-tcpip: listening port 9999 for wiki.brq.example.com \
                port 80, connect from 127.0.0.1 port 30421 to 127.0.0.1 port 9999, \
                nchannels 5
debug3: channel 4: status: The following connections are open:
  #2 client-session (t4 r0 i0/0 o0/0 fd 7/8 cc -1)
  #3 direct-tcpip: listening port 9999 for www.google.com port 443, connect from \
127.0.0.1 port 24731 to 127.0.0.1 port 9999 (t4 r1 i0/0 o0/0 fd 10/10 cc -1) ~~~

part of auth.log:

~~~
Nov 23 19:24:04 gw sshd[20891]: error: connect_to wiki.brq.example.com: unknown host \
                (no address associated with name)
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
~~~

my sshd_config part:

~~~
Match Address 192.168.1.0/24,192.168.2.0/24,192.168.254.0/24,2xx.0.0.0/8,2001:470:xxxx \
::/64 User jirib  PasswordAuthentication no
      AuthenticationMethods publickey
      AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
      AllowTcpForwarding yes
      PermitTunnel yes
      AllowAgentForwarding yes
      GatewayPorts yes
      X11Forwarding yes
~~~
-----------------------<%-------------------------------
Comment 1 Darren Tucker 2017-02-01 14:02:20 AEDT 
A slightly simplified version of the patch you referred to has just been committed and will be in the 7.5 release.

Thanks.
Comment 2 Darren Tucker 2017-08-29 08:34:51 AEST 
*** Bug 2770 has been marked as a duplicate of this bug. ***
Comment 3 Damien Miller 2018-04-06 12:26:42 AEST 
Close all resolved bugs after release of OpenSSH 7.7.