[solved] Re: tunnel between two debian hosts not working
- To: email@example.com
- Subject: [solved] Re: tunnel between two debian hosts not working
- From: Clayton <firstname.lastname@example.org>
- Date: Wed, 29 Jul 2009 14:39:31 +0800
- Message-id: <[🔎] email@example.com>
- In-reply-to: <4A6F3055.firstname.lastname@example.org>
- References: <email@example.com> <firstname.lastname@example.org> <email@example.com> <4A6F3055.firstname.lastname@example.org>
On Tue, 28 Jul 2009 18:07:33 +0100
Terry Browning <email@example.com> wrote:
> Clayton wrote:
> > On Tue, 28 Jul 2009 10:42:31 +0300
> > Kosala Atapattu <firstname.lastname@example.org> wrote:
> >> On Sat, Jul 25, 2009 at 5:40 PM, Clayton<email@example.com> wrote:
> >>> Hi openssh,
> >>> I live in China and have a server in the US. I have been using an
> >>> SSH tunnel for web browsing to go around the censorship.
> >>> I am able to successfully proxy through an ssh tunnel to a shell
> >>> account on a US-based hosting service where I have some websites.
> >>> However, my own server does not work. (Even odder, I swear it
> >>> worked the first day I tried it, then it stopped working without
> >>> any configuration change on either end. I challenged the provider
> >>> of my data center, and they said "we are not blocking you".)
> >>> In the attached text file is a log of my initial connection, which
> >>> ends with
> >>> "debug1: Entering interactive session."
> >>> then an attempt to browse to a web site which fails with
> >>> "channel 1: open failed: administratively prohibited: open failed"
> >>> I repeat, the same ssh client works with another server, and even
> >>> this failing server worked the first day I tried it.
> >>> Any clues to what may be going wrong?
> >> Are you trying to make the tunnel as root?
> > Yes, root on both ends.
> > I begin to wonder if there is something I need to turn on in the
> > firewall on the server end. (I have tried with firewall both on and
> > off....)
> What's your sshd_config on the server?
> Does it have "PermitRootLogin yes"?
> Root login is a security risk because most attackers only bother
> attacking root. Therefore many configs forbid root login.
My server sshd_config is attached, and "PermitRootLogin" is indeed
turned on. Logging in successfully has never been an issue. I believe
this is very close to the vanilla config Debian puts in at install time,
except for the top three lines.
> Could you log in as another account?
And there lies the solution. If I tunnel like this
ssh -vv -CND 1082 firstname.lastname@example.org (working now)
instead of like this
ssh -vv -CND 1082 email@example.com (was not working).
For some reason it is working when I go through an ordinary user
account, and does not work when I go through root, which is rather
If anyone has an explanation for why that might be, I would be very
interested to here.
Thanks for the tip that worked!!
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
# Use these options to restrict which interfaces/protocols sshd will bind to
# HostKeys for protocol version 2
#Privilege Separation is turned on for security
# Lifetime and size of ephemeral version 1 server key
# Don't read the user's ~/.rhosts and ~/.shosts files
# For this to work you will also need host keys in /etc/ssh_known_hosts
# similar for protocol version 2
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
# To enable empty passwords, change to yes (NOT RECOMMENDED)
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
# Change to no to disable tunnelled clear text passwords
# Kerberos options
# GSSAPI options
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server