2

I'm setting up some servers for a new system and decided to do things a little bit differently. I'm running into an issue that I just can't seem to get past though. My desired configuration is having one bastion server and N other servers that can be accessed via the bastion only—a pretty typical configuration.

The difference from what I normally do is that I would like to use signed SSH keys for authentication. This is pretty straight-forward for a single server but is throwing a wrench when using a bastion.

Right now, I have two identically configured servers. I can access them both directly using a signed SSH key. However, if I try to use one as a bastion/jump host, I can't connect to the other. My ~/.ssh/config looks like this:

Host ssh.uswe2
  HostName ssh.uswe2.example.com
  User ec2-user
  IdentityFile ~/.ssh/ssh-rsa-cert

Host *.uswe2 !ssh.uswe2
  HostName %h.example.com
  User ec2-user
  ProxyCommand ssh -W %h:%p ssh.uswe2.example.com
  IdentityFile ~/.ssh/ssh-rsa-cert

With this configuration, I can sign in to the bastion with ssh ssh.uswe2, but when I try to connect to the other server with ssh server2.uswe2 I get the following error:

channel 0: open failed: administratively prohibited: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host

I can still connect directly to the server with ssh server2.uswe2.example.com over the public network though so I know that the CA and cert are being loaded correctly.

My next thought was that maybe it was something to do with how the bastion is configured, but if I add my public key to ~/.ssh/authorized_keys on both servers, I can connect without any issue.

I'm completely at a loss here and it's difficult to troubleshoot since I keep locking myself out of servers. I'm hoping someone can help me with the following:

  • Is this configuration possible at all?
  • My assumption right now is that there's a problem with my local ssh config. Is there a specific flag or option I'm missing?
  • What should my next steps be to try to identify the issue?
3ocene
  • 71
  • 3
  • 1
    Pretty sure the bastion host needs to allow TCP forwarding in order for `-W` to work, hence the "open failed: administratively prohibited" error. – womble Oct 16 '19 at 02:21
  • @womble, Would that be specific to using a signed key though? If I just just drop my public key into the `authorized_keys` on both servers this configuration works fine – 3ocene Oct 16 '19 at 19:11

1 Answers1

3
channel 0: open failed: administratively prohibited: open failed

This issue happens when the server SSH gateway server has port forwarding disabled. In your case, ssh.uswe2.example.com probably has the config for AllowTcpForwarding set to "no". You want to change that to "yes". Also, you may need to allow GatewayPorts. For more, see the docs. https://linux.die.net/man/5/sshd_config

TLane
  • 156
  • 2
  • Unfortunately, this doesn' t seem to be the case. The option is enabled and the jump/bastion host works just fine when I'm not using signed keys. It's only when I try to use signed keys that it fails – 3ocene Nov 06 '19 at 19:17