When trying to set up a SSH tunnel through a remote host in order to bypass a pesky firewall, I received an error which I did not immediately understand.
Using public key authentication, I was able to log in okay. Nothing seemed out of the ordinary and the tunnel was established. But when I launched the tsocks program, the console window in which I was setting up the tunnel showed me the following error.
channel 2: open failed: administratively prohibited: open failed
Now before you go and do a lot of Googling on that error, you may want to check for something quite simple. In an attempt to troubleshoot the tunnel, I tried to set it up again, this time with full debugging turned on.
# ssh -vvv -D 2222 -N email@example.com
What this command does, is launch the ssh client program, tell it to be very verbose (-vvv), bind to local port 2222 (-D 2222) so that another local program may connect to it, place the ssh command into “master mode” (-N) so that the connection can be shared (i.e. other programs may send packets through the ssh connection) and finally to connect as user “user” to the host “example.com”. This gave me a lot of output obviously but again, it showed nothing that was really wrong.
Launching the tsocks program again, I did see some more output.
debug2: channel 2: dynamic request: socks5 host x.x.x.x port x command 1 channel 2: open failed: administratively prohibited: open failed
So the tunnel was set up correctly, but after launching a program like tsocks to send traffic through the tunnel, the error was triggered. Curious to see what was going on, I decided to log into the remote host directly to have a look in its log files. This cleared matters up immediately!
Enter passphrase for key '/home/user/.ssh/id_rsa': You are required to change your password immediately (password aged) Last login: Tue Jun 26 22:48:37 2012 WARNING: Your password has expired. You must change your password now and login again!
So, should you get the error “administratively prohibited: open failed” error when trying to tunnel through a remote host, check if your password hasn’t expired, even if you are using only public key authentication. After changing the password, the tunnel was established as expected.