X-Recipient: archive-cygwin AT delorie DOT com X-SWARE-Spam-Status: No, hits=-0.1 required=5.0 tests=AWL,BAYES_00 X-Spam-Check-By: sourceware.org From: "Maring, Steven" To: "cygwin AT cygwin DOT com" Date: Thu, 23 Sep 2010 10:36:16 -0400 Subject: openssh port forwarding administratively prohibited Message-ID: <664775FB2795E044BD3CAC00D0A0D9826F352782@FLTPNPEXC002.Gentiva.GHSNet.Com> x-cr-puzzleid: {C914D095-44B4-444D-B659-93A3460C9405} x-cr-hashedpuzzle: ARyA BagI Blwh ByHc DilC EA9m EIkE EUIL FVlN GF11 HGa2 HQVJ HbF4 H4cc IQPV Ih1K;1;YwB5AGcAdwBpAG4AQABjAHkAZwB3AGkAbgAuAGMAbwBtAA==;Sosha1_v1;7;{C914D095-44B4-444D-B659-93A3460C9405};cwB0AGUAdgBlAG4ALgBtAGEAcgBpAG4AZwBAAGcAZQBuAHQAaQB2AGEALgBjAG8AbQA=;Thu, 23 Sep 2010 14:36:16 GMT;bwBwAGUAbgBzAHMAaAAgAHAAbwByAHQAIABmAG8AcgB3AGEAcgBkAGkAbgBnACAAYQBkAG0AaQBuAGkAcwB0AHIAYQB0AGkAdgBlAGwAeQAgAHAAcgBvAGgAaQBiAGkAdABlAGQA Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com From a 50K foot perspective, what I'm trying to do is punch a hole through = my corporate http proxy to get to github. By itself, cygwin, along with op= enssh and corkscrew, does not have a problem (i.e. remote git commands work= ). However, I would also like to make use of the eGit Eclipse plugin, whic= h unfortunately does not support the notion of a proxy. So, I thought that= if I could setup a local port forwarding I might be able to get eGit to co= nnect ... but it isn't working. I've included the openssh, git, and corkscrew packages in my cygwin install= . I then ran ssh-host-config, but I didn't think actually running the sshd= via 'net start sshd' would be required. The port forwarding does not seem= to work either way. My only modifications to /etc /sshd_config, from default, are ... AllowTcpForwarding yes PermitTunnel yes my ~/.ssh/config has ... Host github.com User git HostName ssh.github.com Port 443 ProxyCommand corkscrew 10.169.1.20 80 %h %p /home/ssmaring/.ssh/.corkscre= w-auth IdentityFile /home/ssmaring/.ssh/id_rsa Here is what works (I do the -N because github.com does not offer a PTY) ... $ ssh -v -N git AT github DOT com OpenSSH_5.6p1, OpenSSL 0.9.8o 01 Jun 2010 debug1: Reading configuration data /home/ssmaring/.ssh/config debug1: Applying options for github.com debug1: Reading configuration data /etc/ssh_config debug1: Executing proxy command: exec corkscrew 10.169.1.20 80 ssh.github.c= om 443 /home/ssmaring/.ssh/.corkscrew-auth debug1: permanently_drop_suid: 93351 debug1: identity file /home/ssmaring/.ssh/id_rsa type 1 debug1: identity file /home/ssmaring/.ssh/id_rsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 = Debian-5github2 debug1: match: OpenSSH_5.1p1 Debian-5github2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.6 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: checking without port identifier debug1: Host 'ssh.github.com' is known and matches the RSA host key. debug1: Found key in /home/ssmaring/.ssh/known_hosts:3 debug1: found matching key w/out port debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/ssmaring/.ssh/id_rsa debug1: Remote: Forced command: gerve smaring debug1: Remote: Port forwarding disabled. debug1: Remote: X11 forwarding disabled. debug1: Remote: Agent forwarding disabled. debug1: Remote: Pty allocation disabled. debug1: Server accepts key: pkalg ssh-rsa blen 279 debug1: PEM_read_PrivateKey failed debug1: read PEM private key done: type Enter passphrase for key '/home/ssmaring/.ssh/id_rsa': debug1: read PEM private key done: type RSA debug1: Remote: Forced command: gerve smaring debug1: Remote: Port forwarding disabled. debug1: Remote: X11 forwarding disabled. debug1: Remote: Agent forwarding disabled. debug1: Remote: Pty allocation disabled. debug1: Authentication succeeded (publickey). Authenticated to ssh.github.com (via proxy). debug1: Requesting no-more-sessions AT openssh DOT com debug1: Entering interactive session. If I start up a tunnel like this ... $ ssh -L 22:github.com:22 -v -N git AT github DOT com OpenSSH_5.6p1, OpenSSL 0.9.8o 01 Jun 2010 debug1: Reading configuration data /home/ssmaring/.ssh/config debug1: Applying options for github.com debug1: Reading configuration data /etc/ssh_config debug1: Executing proxy command: exec corkscrew 10.169.1.20 80 ssh.github.c= om 443 /home/ssmaring/.ssh/.corkscrew-auth debug1: permanently_drop_suid: 93351 debug1: identity file /home/ssmaring/.ssh/id_rsa type 1 debug1: identity file /home/ssmaring/.ssh/id_rsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 = Debian-5github2 debug1: match: OpenSSH_5.1p1 Debian-5github2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.6 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: checking without port identifier debug1: Host 'ssh.github.com' is known and matches the RSA host key. debug1: Found key in /home/ssmaring/.ssh/known_hosts:3 debug1: found matching key w/out port debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/ssmaring/.ssh/id_rsa debug1: Remote: Forced command: gerve smaring debug1: Remote: Port forwarding disabled. debug1: Remote: X11 forwarding disabled. debug1: Remote: Agent forwarding disabled. debug1: Remote: Pty allocation disabled. debug1: Server accepts key: pkalg ssh-rsa blen 279 debug1: PEM_read_PrivateKey failed debug1: read PEM private key done: type Enter passphrase for key '/home/ssmaring/.ssh/id_rsa': debug1: read PEM private key done: type RSA debug1: Remote: Forced command: gerve smaring debug1: Remote: Port forwarding disabled. debug1: Remote: X11 forwarding disabled. debug1: Remote: Agent forwarding disabled. debug1: Remote: Pty allocation disabled. debug1: Authentication succeeded (publickey). Authenticated to ssh.github.com (via proxy). debug1: Local connections to LOCALHOST:22 forwarded to remote address githu= b.com:22 debug1: Local forwarding listening on 127.0.0.1 port 22. debug1: channel 0: new [port listener] debug1: Requesting no-more-sessions AT openssh DOT com debug1: Entering interactive session. and then try to connect from another console like this ... $ ssh -v -N git AT localhost OpenSSH_5.6p1, OpenSSL 0.9.8o 01 Jun 2010 debug1: Reading configuration data /home/ssmaring/.ssh/config debug1: Reading configuration data /etc/ssh_config debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: identity file /home/ssmaring/.ssh/id_rsa type 1 debug1: identity file /home/ssmaring/.ssh/id_rsa-cert type -1 debug1: identity file /home/ssmaring/.ssh/id_dsa type -1 debug1: identity file /home/ssmaring/.ssh/id_dsa-cert type -1 ssh_exchange_identification: Connection closed by remote host then my tunnel says ... debug1: Connection to port 22 forwarding to github.com port 22 requested. debug1: channel 1: new [direct-tcpip] channel 1: open failed: administratively prohibited: open failed debug1: channel 1: free: direct-tcpip: listening port 22 for github.com por= t 22, connect from 127.0.0.1 port 1130, nchannels 2 my guess is that since I'm trying to open a new connection and the only way= to connect to github.com is with a key pair, that things are being screwed= up by the localhost reference. I'm not sure what to do to fix this though. I've also tried removing the localhost entry in known_hosts and throwing in= a '-A' option, but that didn't help, not that I could do that from eGit an= yway. I'm also open to completely different strategies to get Eclipse/eGit on Win= doze to connect to Github from behind an http proxy. Thanks, Steve Maring -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple