1

The error:

ssh_exchange_identification: Connection closed by remote host

has many proposed solutions but none seem to solve my problem.

This is what I want to accomplish:

I have a server (10.0.0.5) SSH on it. The server has the following users and their shells:

passport , shell=/bin/false user1, shell=git-shell user2, shell=git-shell me, shell=bash

The sshd_config file, has the following entry at the end:

AllowTcpForwarding no Match User passport,user1,user2 AllowTcpForwarding true PermitOpen 10.0.0.5:8080 PermitOpen 10.0.0.5:22

I also enabled public key authentication. The goal is to disable all tcp forwarding from SSH and only allow the users mentioned above to have forwarding on two ports:

- SSH - a web server

In my /etc/hosts.allow and .deny files there are no entries.

I setup the appropriate authorized_keys file (just the ssh-rsa ...) in /home/passport/.ssh/authorized_keys.

From a Windows machine, try to SSH:

ssh [email protected] -N -L 22:10.0.0.5:22 -L 8080:10.0.0.5:8080

This works fine, when "I try to surf to http://127.0.0.1:8080" This means my port forwarding works fine.

Now, I want to try to SSH through that tunnel and use 'user1':

ssh -N [email protected]

At this moment, I get:

ssh_exchange_identification: Connection closed by remote host

Whereas, if I just SSH directly from my Windows machine, I succeed:

ssh -N [email protected]

I don't know why it does not work.

I inspect /var/log/auth.log and observe:

Feb 4 10:28:23 myhost sshd[2097]: debug1: server_input_channel_open: ctype direct-tcpip rchan 257 win 16384 max 16384 Feb 4 10:28:23 myhost sshd[2097]: debug1: server_request_direct_tcpip: originator 0.0.0.0 port 0, target 10.0.0.5 port 22 Feb 4 10:28:23 myhost sshd[2097]: Received request to connect to host 10.0.0.5 port 22, but the request was denied. Feb 4 10:28:23 myhost sshd[2097]: debug1: server_input_channel_open: failure direct-tcpip

I try to flush the iptables with -F and try restarting sshd, but still I get a connection closed error.

  • Why can't I ssh via the tunnel?

  • The reason I created "passport" user is to allow users to remotely login to my network. They will be able to use the web server.

Now if they want to use GIT, they will use the following for example:

git clone ssh://[email protected]/repos/repo.git

I am running Debian 6, with Linux 2.6.32 and OpenSSH 5.5p1

Please advise on how to solve my problem. I tried all of the solutions listed for the question with the same title as my question but to no avail.

Improve this question

1 Answer 1

Reset to default
1

You can only specfiy one PermitOpen directive; if you want to allow multiple forwardings specify them on the same line separated with whitespace:

PermitOpen 10.0.0.5:8080 10.0.0.5:22

It seems that OpenSSH applies the first directive found.

Improve this answer
1
  • That's what it seems! :) Thanks that solved it. It seems I found on the web many instances and examples showing multiple lines! Commented Feb 4, 2013 at 21:32

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.