2

I'm setting up some servers for a new system and decided to do things a little bit differently. I'm running into an issue that I just can't seem to get past though. My desired configuration is having one bastion server and N other servers that can be accessed via the bastion only—a pretty typical configuration.

The difference from what I normally do is that I would like to use signed SSH keys for authentication. This is pretty straight-forward for a single server but is throwing a wrench when using a bastion.

Right now, I have two identically configured servers. I can access them both directly using a signed SSH key. However, if I try to use one as a bastion/jump host, I can't connect to the other. My ~/.ssh/config looks like this:

Host ssh.uswe2 HostName ssh.uswe2.example.com User ec2-user IdentityFile ~/.ssh/ssh-rsa-cert Host *.uswe2 !ssh.uswe2 HostName %h.example.com User ec2-user ProxyCommand ssh -W %h:%p ssh.uswe2.example.com IdentityFile ~/.ssh/ssh-rsa-cert

With this configuration, I can sign in to the bastion with ssh ssh.uswe2, but when I try to connect to the other server with ssh server2.uswe2 I get the following error:

channel 0: open failed: administratively prohibited: open failed stdio forwarding failed kex_exchange_identification: Connection closed by remote host

I can still connect directly to the server with ssh server2.uswe2.example.com over the public network though so I know that the CA and cert are being loaded correctly.

My next thought was that maybe it was something to do with how the bastion is configured, but if I add my public key to ~/.ssh/authorized_keys on both servers, I can connect without any issue.

I'm completely at a loss here and it's difficult to troubleshoot since I keep locking myself out of servers. I'm hoping someone can help me with the following:

  • Is this configuration possible at all?
  • My assumption right now is that there's a problem with my local ssh config. Is there a specific flag or option I'm missing?
  • What should my next steps be to try to identify the issue?
Improve this question
2
  • 1
    Pretty sure the bastion host needs to allow TCP forwarding in order for -W to work, hence the "open failed: administratively prohibited" error. Commented Oct 16, 2019 at 2:21
  • @womble, Would that be specific to using a signed key though? If I just just drop my public key into the authorized_keys on both servers this configuration works fine Commented Oct 16, 2019 at 19:11

1 Answer 1

Reset to default
3
+25 
channel 0: open failed: administratively prohibited: open failed

This issue happens when the server SSH gateway server has port forwarding disabled. In your case, ssh.uswe2.example.com probably has the config for AllowTcpForwarding set to "no". You want to change that to "yes". Also, you may need to allow GatewayPorts. For more, see the docs. https://linux.die.net/man/5/sshd_config

Improve this answer
1
  • Unfortunately, this doesn' t seem to be the case. The option is enabled and the jump/bastion host works just fine when I'm not using signed keys. It's only when I try to use signed keys that it fails Commented Nov 6, 2019 at 19:17

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.