openssh port forwarding administratively prohibited

openssh port forwarding administratively prohibited

[Maring, Steven]

From a 50K foot perspective, what I'm trying to do is punch a hole through my corporate http proxy to get to github.  By itself, cygwin, along with openssh and corkscrew, does not have a problem (i.e. remote git commands work).  However, I would also like to make use of the eGit Eclipse plugin, which unfortunately does not support the notion of a proxy.  So, I thought that if I could setup a local port forwarding I might be able to get eGit to connect ... but it isn't working.

I've included the openssh, git, and corkscrew packages in my cygwin install.  I then ran ssh-host-config, but I didn't think actually running the sshd via 'net start sshd' would be required.  The port forwarding does not seem to work either way.

My only modifications to /etc /sshd_config, from default, are ...

AllowTcpForwarding yes
PermitTunnel yes


my ~/.ssh/config has ...

Host github.com
  User git
  HostName ssh.github.com
  Port 443
  ProxyCommand corkscrew 10.169.1.20 80 %h %p /home/ssmaring/.ssh/.corkscrew-auth
  IdentityFile /home/ssmaring/.ssh/id_rsa


Here is what works (I do the -N because github.com does not offer a PTY) ...

$ ssh -v -N git@github.com
OpenSSH_5.6p1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/ssmaring/.ssh/config
debug1: Applying options for github.com
debug1: Reading configuration data /etc/ssh_config
debug1: Executing proxy command: exec corkscrew 10.169.1.20 80 ssh.github.com 443 /home/ssmaring/.ssh/.corkscrew-auth
debug1: permanently_drop_suid: 93351
debug1: identity file /home/ssmaring/.ssh/id_rsa type 1
debug1: identity file /home/ssmaring/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5github2
debug1: match: OpenSSH_5.1p1 Debian-5github2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: checking without port identifier
debug1: Host 'ssh.github.com' is known and matches the RSA host key.
debug1: Found key in /home/ssmaring/.ssh/known_hosts:3
debug1: found matching key w/out port
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/ssmaring/.ssh/id_rsa
debug1: Remote: Forced command: gerve smaring
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/ssmaring/.ssh/id_rsa':
debug1: read PEM private key done: type RSA
debug1: Remote: Forced command: gerve smaring
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Authentication succeeded (publickey).
Authenticated to ssh.github.com (via proxy).
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.


If I start up a tunnel like this ...

$ ssh -L 22:github.com:22 -v -N git@github.com
OpenSSH_5.6p1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/ssmaring/.ssh/config
debug1: Applying options for github.com
debug1: Reading configuration data /etc/ssh_config
debug1: Executing proxy command: exec corkscrew 10.169.1.20 80 ssh.github.com 443 /home/ssmaring/.ssh/.corkscrew-auth
debug1: permanently_drop_suid: 93351
debug1: identity file /home/ssmaring/.ssh/id_rsa type 1
debug1: identity file /home/ssmaring/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5github2
debug1: match: OpenSSH_5.1p1 Debian-5github2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: checking without port identifier
debug1: Host 'ssh.github.com' is known and matches the RSA host key.
debug1: Found key in /home/ssmaring/.ssh/known_hosts:3
debug1: found matching key w/out port
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/ssmaring/.ssh/id_rsa
debug1: Remote: Forced command: gerve smaring
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/ssmaring/.ssh/id_rsa':
debug1: read PEM private key done: type RSA
debug1: Remote: Forced command: gerve smaring
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Authentication succeeded (publickey).
Authenticated to ssh.github.com (via proxy).
debug1: Local connections to LOCALHOST:22 forwarded to remote address github.com:22
debug1: Local forwarding listening on 127.0.0.1 port 22.
debug1: channel 0: new [port listener]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.


and then try to connect from another console like this ...

$ ssh -v -N git@localhost
OpenSSH_5.6p1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/ssmaring/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/ssmaring/.ssh/id_rsa type 1
debug1: identity file /home/ssmaring/.ssh/id_rsa-cert type -1
debug1: identity file /home/ssmaring/.ssh/id_dsa type -1
debug1: identity file /home/ssmaring/.ssh/id_dsa-cert type -1
ssh_exchange_identification: Connection closed by remote host


then my tunnel says ...

debug1: Connection to port 22 forwarding to github.com port 22 requested.
debug1: channel 1: new [direct-tcpip]
channel 1: open failed: administratively prohibited: open failed
debug1: channel 1: free: direct-tcpip: listening port 22 for github.com port 22, connect from 127.0.0.1 port 1130, nchannels 2


my guess is that since I'm trying to open a new connection and the only way to connect to github.com is with a key pair, that things are being screwed up by the localhost reference.

I'm not sure what to do to fix this though.

I've also tried removing the localhost entry in known_hosts and throwing in a '-A' option, but that didn't help, not that I could do that from eGit anyway.

I'm also open to completely different strategies to get Eclipse/eGit on Windoze to connect to Github from behind an http proxy.

Thanks,
Steve Maring


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: openssh port forwarding administratively prohibited

[Ryan Johnson]

  On 8:59 PM, Maring, Steven wrote:
>  From a 50K foot perspective, what I'm trying to do is punch a hole through my corporate http proxy to get to github.  By itself, cygwin, along with openssh and corkscrew, does not have a problem (i.e. remote git commands work).  However, I would also like to make use of the eGit Eclipse plugin, which unfortunately does not support the notion of a proxy.  So, I thought that if I could setup a local port forwarding I might be able to get eGit to connect ... but it isn't working.I've included the openssh, git, and corkscrew packages in my cygwin install.
>
> I then ran ssh-host-config, but I didn't think actually running the sshd via 'net start sshd' would be required.  The port forwarding does not seem to work either way.
<snip>
> $ ssh -L 22:github.com:22 -v -N git@github.com
<snip>
> and then try to connect from another console like this ...
>
> $ ssh -v -N git@localhost
<snip>
> then my tunnel says ...
>
> debug1: Connection to port 22 forwarding to github.com port 22 requested.
> debug1: channel 1: new [direct-tcpip]
> channel 1: open failed: administratively prohibited: open failed
> debug1: channel 1: free: direct-tcpip: listening port 22 for github.com port 22, connect from 127.0.0.1 port 1130, nchannels 2
This sounds like a vanilla ssh issue to me rather than anything 
cygwin-specific.

Several things come to mind right off. First, I've seen the 
"administratively prohibited" message when there was no port forwarding 
in place at all. Not the most intuitive message, but whatever...

Second, it's often "difficult" to forward to "privileged" ports (< 
1024), though that wasn't a problem when I tested it on my cygwin install.

Finally (and probably the real issue) ssh-host-config sets things up for 
(and starts) the sshd service, which means port 22 on your machine is 
already in use and the port forwarding comes up empty-handed. Try "net 
stop sshd", or else tell ssh "-L 2222:github.com:22" and see if that 
gets you anywhere (I don't use git but I assume there's a way to point 
it at ports besides the default 22). Note that connecting this way will 
mess up the known_hosts file and make ssh yell at you if you ever happen 
to ssh to localhost (or to any other machine tunneled to localhost). I 
think there are ways around this with aliases or something... man 
ssh_config?

Regards,
Ryan


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

RE: openssh port forwarding administratively prohibited

[Stephen Bennett]

> I'm not sure what to do to fix this though.

The administrative prohibition is on the server. There's nothing you can do to fix it, other than find a server that isn't github to proxy through.

Accelrys Limited (http://accelrys.com)
Registered office: 334 Cambridge Science Park, Cambridge, CB4 0WN, UK
Registered in England: 2326316