Hi openssh, I live in China and have a server in the US. I have been using an SSH tunnel for web browsing to go around the censorship. I am able to successfully proxy through an ssh tunnel to a shell account on a US-based hosting service where I have some websites. However, my own server does not work. (Even odder, I swear it worked the first day I tried it, then it stopped working without any configuration change on either end. I challenged the provider of my data center, and they said "we are not blocking you".) In the attached text file is a log of my initial connection, which ends with "debug1: Entering interactive session." then an attempt to browse to a web site which fails with "channel 1: open failed: administratively prohibited: open failed" I repeat, the same ssh client works with another server, and even this failing server worked the first day I tried it. Any clues to what may be going wrong? Thanks, Clayton
# ssh -vv -CND 1082 root@xxxxxxxxxxxx OpenSSH_5.1p1 Debian-6, OpenSSL 0.9.8k 25 Mar 2009 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to myserver.com [111.222.333.444] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug2: key_type_from_name: unknown key type '-----BEGIN' debug2: key_type_from_name: unknown key type '-----END' debug1: identity file /root/.ssh/identity type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5+b1 debug1: match: OpenSSH_5.1p1 Debian-5+b1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-6 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@xxxxxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@xxxxxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: zlib@xxxxxxxxxxx,zlib,none debug2: kex_parse_kexinit: zlib@xxxxxxxxxxx,zlib,none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@xxxxxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@xxxxxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 zlib@xxxxxxxxxxx debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 zlib@xxxxxxxxxxx debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 128/256 debug2: bits set: 540/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'myserver.com' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:13 debug2: bits set: 534/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/identity (0xb9a64520) debug2: key: /root/.ssh/id_rsa ((nil)) debug2: key: /root/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering public key: /root/.ssh/identity debug2: we sent a publickey packet, wait for reply debug1: Remote: Port forwarding disabled. debug1: Remote: X11 forwarding disabled. debug1: Server accepts key: pkalg ssh-rsa blen 533 debug2: input_userauth_pk_ok: fp 92:75:e2:b6:f4:85:a3:68:d3:af:b2:9a:4f:a5:70:49 debug1: read PEM private key done: type RSA debug1: Remote: Port forwarding disabled. debug1: Remote: X11 forwarding disabled. debug1: Enabling compression at level 6. debug1: Authentication succeeded (publickey). debug1: Local connections to *:1082 forwarded to remote address socks:0 debug1: Local forwarding listening on 0.0.0.0 port 1082. debug2: fd 5 setting O_NONBLOCK debug1: channel 0: new [port listener] debug1: Local forwarding listening on :: port 1082. bind: Address already in use debug1: Requesting no-more-sessions@xxxxxxxxxxx debug1: Entering interactive session. debug1: Connection to port 1082 forwarding to socks port 0 requested. debug2: fd 6 setting TCP_NODELAY debug2: fd 6 setting O_NONBLOCK debug1: channel 1: new [dynamic-tcpip] debug2: channel 1: pre_dynamic: have 0 debug2: channel 1: pre_dynamic: have 3 debug2: channel 1: decode socks5 debug2: channel 1: socks5 auth done debug2: channel 1: pre_dynamic: need more debug2: channel 1: pre_dynamic: have 0 debug2: channel 1: pre_dynamic: have 10 debug2: channel 1: decode socks5 debug2: channel 1: socks5 post auth debug2: channel 1: dynamic request: socks5 host 63.111.74.121 port 80 command 1 channel 1: open failed: administratively prohibited: open failed debug1: channel 1: free: direct-tcpip: listening port 1082 for 63.111.74.121 port 80, connect from 127.0.0.1 port 38879, nchannels 2