This is the mail archive of the
cygwin
mailing list for the Cygwin project.
openssh port forwarding administratively prohibited
- From: "Maring, Steven" <Steven dot Maring at gentiva dot com>
- To: "cygwin at cygwin dot com" <cygwin at cygwin dot com>
- Date: Thu, 23 Sep 2010 10:36:16 -0400
- Subject: openssh port forwarding administratively prohibited
>From a 50K foot perspective, what I'm trying to do is punch a hole through my corporate http proxy to get to github. By itself, cygwin, along with openssh and corkscrew, does not have a problem (i.e. remote git commands work). However, I would also like to make use of the eGit Eclipse plugin, which unfortunately does not support the notion of a proxy. So, I thought that if I could setup a local port forwarding I might be able to get eGit to connect ... but it isn't working.
I've included the openssh, git, and corkscrew packages in my cygwin install. I then ran ssh-host-config, but I didn't think actually running the sshd via 'net start sshd' would be required. The port forwarding does not seem to work either way.
My only modifications to /etc /sshd_config, from default, are ...
AllowTcpForwarding yes
PermitTunnel yes
my ~/.ssh/config has ...
Host github.com
User git
HostName ssh.github.com
Port 443
ProxyCommand corkscrew 10.169.1.20 80 %h %p /home/ssmaring/.ssh/.corkscrew-auth
IdentityFile /home/ssmaring/.ssh/id_rsa
Here is what works (I do the -N because github.com does not offer a PTY) ...
$ ssh -v -N git@github.com
OpenSSH_5.6p1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/ssmaring/.ssh/config
debug1: Applying options for github.com
debug1: Reading configuration data /etc/ssh_config
debug1: Executing proxy command: exec corkscrew 10.169.1.20 80 ssh.github.com 443 /home/ssmaring/.ssh/.corkscrew-auth
debug1: permanently_drop_suid: 93351
debug1: identity file /home/ssmaring/.ssh/id_rsa type 1
debug1: identity file /home/ssmaring/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5github2
debug1: match: OpenSSH_5.1p1 Debian-5github2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: checking without port identifier
debug1: Host 'ssh.github.com' is known and matches the RSA host key.
debug1: Found key in /home/ssmaring/.ssh/known_hosts:3
debug1: found matching key w/out port
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/ssmaring/.ssh/id_rsa
debug1: Remote: Forced command: gerve smaring
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/ssmaring/.ssh/id_rsa':
debug1: read PEM private key done: type RSA
debug1: Remote: Forced command: gerve smaring
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Authentication succeeded (publickey).
Authenticated to ssh.github.com (via proxy).
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
If I start up a tunnel like this ...
$ ssh -L 22:github.com:22 -v -N git@github.com
OpenSSH_5.6p1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/ssmaring/.ssh/config
debug1: Applying options for github.com
debug1: Reading configuration data /etc/ssh_config
debug1: Executing proxy command: exec corkscrew 10.169.1.20 80 ssh.github.com 443 /home/ssmaring/.ssh/.corkscrew-auth
debug1: permanently_drop_suid: 93351
debug1: identity file /home/ssmaring/.ssh/id_rsa type 1
debug1: identity file /home/ssmaring/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5github2
debug1: match: OpenSSH_5.1p1 Debian-5github2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: checking without port identifier
debug1: Host 'ssh.github.com' is known and matches the RSA host key.
debug1: Found key in /home/ssmaring/.ssh/known_hosts:3
debug1: found matching key w/out port
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/ssmaring/.ssh/id_rsa
debug1: Remote: Forced command: gerve smaring
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/ssmaring/.ssh/id_rsa':
debug1: read PEM private key done: type RSA
debug1: Remote: Forced command: gerve smaring
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Authentication succeeded (publickey).
Authenticated to ssh.github.com (via proxy).
debug1: Local connections to LOCALHOST:22 forwarded to remote address github.com:22
debug1: Local forwarding listening on 127.0.0.1 port 22.
debug1: channel 0: new [port listener]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
and then try to connect from another console like this ...
$ ssh -v -N git@localhost
OpenSSH_5.6p1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/ssmaring/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/ssmaring/.ssh/id_rsa type 1
debug1: identity file /home/ssmaring/.ssh/id_rsa-cert type -1
debug1: identity file /home/ssmaring/.ssh/id_dsa type -1
debug1: identity file /home/ssmaring/.ssh/id_dsa-cert type -1
ssh_exchange_identification: Connection closed by remote host
then my tunnel says ...
debug1: Connection to port 22 forwarding to github.com port 22 requested.
debug1: channel 1: new [direct-tcpip]
channel 1: open failed: administratively prohibited: open failed
debug1: channel 1: free: direct-tcpip: listening port 22 for github.com port 22, connect from 127.0.0.1 port 1130, nchannels 2
my guess is that since I'm trying to open a new connection and the only way to connect to github.com is with a key pair, that things are being screwed up by the localhost reference.
I'm not sure what to do to fix this though.
I've also tried removing the localhost entry in known_hosts and throwing in a '-A' option, but that didn't help, not that I could do that from eGit anyway.
I'm also open to completely different strategies to get Eclipse/eGit on Windoze to connect to Github from behind an http proxy.
Thanks,
Steve Maring
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple