SSH Tunnel yielding "administratively prohibited: open failed" after a few hours

linux ssh unix ssh-tunnel

293

Solution 1

I've seen the same message when trying to do a port forward to an unreachable destination:

ssh example.com -L 1337:example.invalid:80

telnet localhost 1337

[email protected]:~$ channel 3: open failed: administratively prohibited: open failed

Solution 2

“Administratively prohibited” is also one of the ICMP control messages. Is it possible a router between the SSH server and the tunnel destination is sending this?

If sniffing is possible, a simple pcap filter with just icmp can show you all ICMP traffic.

293

Ismail Degani

Updated on September 17, 2022

Comments

Ismail Degani over 1 year
Given that generic types create separate instances of static fields per-type combination, is this a valid pattern to use if I want to have a static field across all types?
```
public class BaseClass
{
    public static int P = 0;
}

public class ChildClass<T> : BaseClass
{
    public static int Q = 0;

    public void Inc()
    {
        // ChildClass<int> will have a different "Q" than ChildClass<double> 
        Interlocked.Increment(ref Q); 
        // all types of ChildClass will increment the same P
        Interlocked.Increment(ref P); 
    }
}
```
Is there anything unsafe about this approach? My toy example works, but I just wanted to make sure there are no horrible side effects, threading consequences, etc :)
- Chris Sinclair about 11 years
  
  Only real unsafe part about it is the incrementation (as it is now) which will not be threadsafe. EDIT: Also, I'm assuming you'd want to control get/set access (do you want it to be publically settable, or only increment privately within the Inc method?)
- Ismail Degani about 11 years
  
  Haha good point. I have to be less careless with my example. Assume Interlocked something or other please
- Ismail Degani about 11 years
  
  The actual problem I'm dealing with is that I want a single threadsafe queue, but the class that adds things to this internal queue is generic. So the "value" will not be publicly settable.
- Chris Sinclair about 11 years
  
  Then yeah, no real issues I think. Just remember that <T> will be unique for any particular subclass or interface used. So ChildClass<Stream> will have a different Q than ChildClass<MemoryStream>, same with ChildClass<IEnumerable> and ChildClass<ArrayList>.
- Chris Sinclair about 11 years
  
  Not sure if I follow exactly what you're saying there Ismail. Perhaps you can post the code that you're thinking of and then we can comment on thread-safety?
- Chris Sinclair about 11 years
  
  I guess specifically about your question, no, there are no terrible side effects about this. So long as you understand about uniqueness of Q with respect to T, then it's perfectly valid to take advantage of static members within generic classes like this. Probably the most significant is if you were to create a locking object on ChildClass<T> (like private static object LockingObject = new Object()) you need to recognize that the lock will not be shared between different concrete ChildClass<T> types. If you need a shared lock, you need to define the object on BaseClass.
- jam40jeff about 11 years
  
  P does not need to be in a base class of ChildClass<T> since it is static. You could just do: public static class ChildClass { public static int P; } and reference it as ChildClass.P. Also, you should not initialize ints to 0, as it is the default value for a field anyway.
- Admin over 10 years
  
  did you ever find the solution to this?
- Admin over 10 years
  
  @sybind No, but I continue using ssh -D a lot, without any problem now. Do you experience it ? Which version ? Only a few drops ?
- Admin over 10 years
  
  I did have this problem, somehow fixed it, then I ran into another wall with setting up the routes between the two hosts. The fix may have been related to setting a static arp cache entry..
- Admin over 6 years
  
  -D *:1080 does not mean what you think it means. You should replace that with -D '*:1080' or just -D :1080.
- Admin over 6 years
  
  @kasperd what do you think -D *:1080 means?
- Admin over 6 years
  
  @Mandark First of all it will look for all files in the current directory whose name ends with :1080. If no such file exists there will be three different behaviors depending on how your shell is configured. If one or more files matching the pattern the behavior will depend on how those files are named. It could even change which server you are logging in to.
- Admin over 6 years
  
  @kasperd Thanks for this instructive paragraph. But as my ssh process is working for a few days before starting to slowly break, I don't think it can be related to a path expansion problem. I also don't use nullglob, and don't have any file ending with :1080 but will change in my question to clarify if anyone read it. Thanks again.
- Admin over 6 years
  
  BTW I asked this 7 years ago, and no longer use -D as a daily basis, so I do no longer enconter this bug, which may be fixed since. So if anyone get the exact same symptoms it still make sense, else it does no longer make sense.
Latif almost 14 years

I'll check the memory server-side the next time, and wrote it here. The bad link idea : I think not as if i restart the ssh, it works well again
Latif almost 14 years

New one this day, checked client and server health (cpu, memory, logs) nothing particular.
Will Dixon almost 14 years

I never said it was :)
Ismail Degani about 11 years

Thanks for the answer, but the question was more about the inheritance / singularity of the static field, not really anything to do with the actual incrementing of an int. I'll update my question with your interlocked code.
Dave Clarke over 6 years

@Andrew This saved me!