SSH tunneling error

When trying to set up a SSH tunnel through a remote host in order to bypass a pesky firewall, I received an error which I did not immediately understand.

Using public key authentication, I was able to log in okay. Nothing seemed out of the ordinary and the tunnel was established. But when I launched the tsocks program, the console window in which I was setting up the tunnel showed me the following error.

channel 2: open failed: administratively prohibited: open failed

Now before you go and do a lot of Googling on that error, you may want to check for something quite simple. In an attempt to troubleshoot the tunnel, I tried to set it up again, this time with full debugging turned on.

# ssh -vvv -D 2222 -N user@example.com

What this command does, is launch the ssh client program, tell it to be very verbose (-vvv), bind to local port 2222 (-D 2222) so that another local program may connect to it, place the ssh command into “master mode” (-N) so that the connection can be shared (i.e. other programs may send packets through the ssh connection) and finally to connect as user “user” to the host “example.com”. This gave me a lot of output obviously but again, it showed nothing that was really wrong.

Launching the tsocks program again, I did see some more output.

debug2: channel 2: dynamic request: socks5 host x.x.x.x port x command 1
channel 2: open failed: administratively prohibited: open failed

So the tunnel was set up correctly, but after launching a program like tsocks to send traffic through the tunnel, the  error was triggered. Curious to see what was going on, I decided to log into the remote host directly to have a look in its log files. This cleared matters up immediately!

Enter passphrase for key '/home/user/.ssh/id_rsa':
You are required to change your password immediately (password aged)
Last login: Tue Jun 26 22:48:37 2012
WARNING: Your password has expired.
You must change your password now and login again!

So, should you get the error “administratively prohibited: open failed” error when trying to tunnel through a remote host, check if your password hasn’t expired, even if you are using only public key authentication. After changing the password, the tunnel was established as expected.