unknown hostname on ssh tunnel end causes 'administratively prohibited: open failed'

Wed, 23 Nov 2016 10:36:12 -0800 

I was using ssh socks5 tunnel (-D9999) today and I saw many:

  channel 4: open failed: administratively prohibited: open failed

messages. It seems non-resolvable hostnames on my gw (ie. end of ssh
socks5 tunnel) is passed to client as "prohibited" event.

This seems odd and confusing. GW is an older 6.0-current amd64.

j.

Firefox with SOCKS5 tunnel (ssh -D9999 $gw). Than I opened an url,
ie. wiki.brq.example.com:

~~~
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug2: fd 11 setting TCP_NODELAY
debug3: fd 11 is O_NONBLOCK
debug3: fd 11 is O_NONBLOCK
debug1: channel 4: new [dynamic-tcpip]
debug2: channel 4: pre_dynamic: have 0
debug2: channel 4: pre_dynamic: have 3
debug2: channel 4: decode socks5
debug2: channel 4: socks5 auth done
debug2: channel 4: pre_dynamic: need more
debug2: channel 4: pre_dynamic: have 0
debug2: channel 4: pre_dynamic: have 26
debug2: channel 4: decode socks5
debug2: channel 4: socks5 post auth
debug2: channel 4: dynamic request: socks5 host wiki.brq.example.com port 80 
command 1
debug3: send packet: type 90
debug3: receive packet: type 92
channel 4: open failed: administratively prohibited: open failed
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
debug2: channel 4: zombie
debug2: channel 4: garbage collecting
debug1: channel 4: free: direct-tcpip: listening port 9999 for 
wiki.brq.example.com port 80, connect from 127.0.0.1 port 30421 to 127.0.0.1 
port 9999, nchannels 5
debug3: channel 4: status: The following connections are open:
  #2 client-session (t4 r0 i0/0 o0/0 fd 7/8 cc -1)
  #3 direct-tcpip: listening port 9999 for www.google.com port 443, connect 
from 127.0.0.1 port 24731 to 127.0.0.1 port 9999 (t4 r1 i0/0 o0/0 fd 10/10 cc 
-1)
~~~

part of auth.log:

~~~
Nov 23 19:24:04 gw sshd[20891]: error: connect_to wiki.brq.example.com: unknown 
host (no address associated with name)
                                
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
~~~

my sshd_config part:

~~~
Match Address 
192.168.1.0/24,192.168.2.0/24,192.168.254.0/24,2xx.0.0.0/8,2001:470:xxxx::/64 
User jirib
      PasswordAuthentication no
      AuthenticationMethods publickey
      AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
      AllowTcpForwarding yes
      PermitTunnel yes
      AllowAgentForwarding yes
      GatewayPorts yes
      X11Forwarding yes
~~~

Reply via email to