30

I've been using SSH tunnel for a while on Windows (using Putty).

On Windows with putty, it is always fine, but on mac or cygwin, it sometimes prompts the warning message:

open failed: administratively prohibited: open failed

Richlv
  • 2,334
  • 1
  • 13
  • 17
AGamePlayer
  • 555
  • 1
  • 5
  • 13
  • If you are port forwarding as a regular user and trying to use a privileged port number <1024 this msg will show. Is this the case? – cormpadre Nov 17 '15 at 15:53
  • If caused by mis-typing a domain and DNS resolution fails, the connection may freeze until it times out. https://superuser.com/a/700677 – user423430 Mar 24 '17 at 17:12

5 Answers5

25

I believe you have disabled TCP forwarding on the server. In your server /etc/ssh/sshd_config make sure that the following line is either not present or commented, otherwise comment it.

AllowTcpForwarding no
Harikrishnan
  • 1,057
  • 2
  • 14
  • 31
8

There is a broader discussion of this error with SSH tunnels on Unix StackExchange. In a nutshell, this is a non-specific error; there are numerous possibilities that should be explored.

eye
  • 121
  • 1
  • 6
2

If the sshd config already has all the options to enable port forwarding, but you still get this issue, check /var/log/secure for something like this - sshd: error: connect_to XXX: unknown host (Name or service not known)

If the ssh host is unable to resolve the host that you want to tunnel to, it will give back the generic error unable to open channel.

Double check you tunnel hostname or DNS resolution on ssh server.

andreidotnet
  • 21
  • 1
  • How do I prevent the SSH tunnel from hanging comlpetely when it is unable to resolve some failed domain? – Alecz Oct 13 '21 at 20:01
2

Just for posterity, even if it isn't useful to you specifically

The errors are put to your console via stderr, so if you just want to ignore them, adding 2>/dev/null to the end of your ssh call will work perfectly. E.g.:

ssh -C -D 3210 example@connexion 2>/dev/null

This is useful if the proxy tunnel is actually working fine, but you just dont want to see the errors.

In my case; the machine I'm tunnelling to isn't mine, so I can't modify the sshd_config (not that that was your issue) and I also use the same connexion for the shell. Having those error messages write into my console during an open vim window makes the display act up quite annoyingly.

Hashbrown
  • 225
  • 2
  • 3
  • 7
    This does not answer the question. – sebix Dec 07 '16 at 18:11
  • 2
    The text `open failed: administratively prohibited: open failed` is being outputted to stderr, "on mac or cygwin" you can hide this warning (what it's warning about doesn't actually break anything) by sending that text to null (appending `2>/dev/null` to the command). This absolutely answers the question, especially if you dont have admin access to the other machine to fix the underlying issue – Hashbrown Dec 08 '16 at 01:04
  • 13
    The question was how to *solve* the problem, not to hide the error message. – sebix Dec 08 '16 at 22:03
  • 2
    depending on the person, the message *is* the problem. Like I said, it actually doesn't break anything most of the time, so it's okay to hide. Have you ever tried to use ssh when every so often a giant string is vomited all over your session's interactive shell? This solves that, which is why it's here. – Hashbrown Dec 10 '16 at 02:55
0

open failed: administratively prohibited: open failed

This means the SSH service (on the remote server) is not allowing SSH agent forwarding (AllowAgentForwarding no).

If you cannot change the configuration on the remote server, you can still ssh to one server, then to another one.

Normally you could use ProxyJump option in your .ssh/config, but in this case you cannot.

You can try to forcibly disable forwarding agent on your client (ForwardAgent no), which probably won't work.

Assuming you want to ssh to Y server via X, then as for the workaround, you can define the following section in SSH config file:

Host remotehost
  ForwardAgent no
  HostName 192.168.X.IP
  RemoteCommand ssh 192.168.Y.IP
  RequestTTY yes

Once loaded, then you can simply run: ssh remotehost.

kenorb
  • 5,943
  • 1
  • 44
  • 53