SSH tunneling error: “channel 1: open failed: administratively prohibited: open failed”

port-forwardingsshssh-tunneling

When I open this ssh tunnel:

ssh -nXNT -p 22 localhost -L 0.0.0.0:8984:remote:8983

I get this error when trying to access the HTTP server running on localhost:8984:

channel 1: open failed: administratively prohibited: open failed

What does this error mean, and on which machine can you fix the problem?

Best Answer

channel 1: open failed: administratively prohibited: open failed

The above message refers to your SSH server rejecting your SSH client's request to open a side channel. This typically comes from -D, -L or -w, as separate channels in the SSH stream are required to ferry the forwarded data across.

Since you are using -L (also applicable to -D), there are two options in question that are causing your SSH server to reject this request:

AllowTcpForwarding (as Steve Buzonas mentioned)
PermitOpen

These options can be found in /etc/ssh/sshd_config. You should ensure that:

AllowTCPForwarding is either not present, is commented out, or is set to yes
PermitOpen is either not present, is commented out, or is set to any[1]

Additionally, if you are using an SSH key to connect, you should check that the entry corresponding to your SSH key in ~/.ssh/authorized_keys does not have no-port-forwarding or permitopen statements[2].

Not relevant to your particular command, but somewhat relevant to this topic as well, is the PermitTunnel option if you're attempting to use the -w option.

[1] Full syntax in the sshd_config(5) manpage.

[2] Full syntax in the authorized_keys(5) manpage.

Port forwarding

The command you have looks fine. Are you sure that the service you're trying to connect to is up and accepting connections? The channel errors would seem to indicate that it's not.

What are my active channels?

If you have an active ssh connection you can use the following key combination to get help:

Shift+~ followed by Shift+?

$ ~?
Supported escape sequences:
  ~.  - terminate connection (and any multiplexed sessions)
  ~B  - send a BREAK to the remote system
  ~C  - open a command line
  ~R  - Request rekey (SSH protocol 2 only)
  ~^Z - suspend ssh
  ~#  - list forwarded connections
  ~&  - background ssh (when waiting for connections to terminate)
  ~?  - this message
  ~~  - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)
debug2: channel 2: written 480 to efd 8

You can then use this key combination to get a list of the active channels:

Shift+~ followed by Shift+#

$ ~#
The following connections are open:
  #2 client-session (t4 r0 i0/0 o0/0 fd 6/7 cc -1)
debug2: channel 2: written 93 to efd 8

Ssh – strange ssh problem: “open failed: administratively prohibited:”

It sounds like you're running into the SSH server's limit on the number of simultaneous sessions per connection. Your command-line session to the remote server is one session, and each individual forwarded TCP connection is another session.

You can change the server's limit through the MaxSessions parameter in the server's sshd_config file:

MaxSessions
Specifies the maximum number of open sessions permitted per network connection. The default is 10.

You'd update sshd_config like this:

Find the file. It's usually /etc/ssh/sshd_config.
Edit it as root.
In the file look for an existing MaxSessions setting if any. Otherwise, add a new line. Set the number to 15 or so. Save the new file.
Restart sshd to make it reread the file.
Make a new ssh connection and see if the behavior changes.

Best Answer

Related Solutions

Ssh – What do the channel numbers in ssh error message refer to

Port forwarding

What are my active channels?

Ssh – strange ssh problem: “open failed: administratively prohibited:”

Related Question