I'm having an issue with establishing an ssh tunnel through a bastion host.
Having looked through various SE questions which potentially solve the problem, nothing has.
My ssh config file (local)
Host www
HostName ***
IdentityFile ~/.ssh/key.pem
ProxyCommand ssh root@bastion -W %h:%p
Host bastion
HostName ***
IdentityFile ~/.ssh/key.pem
StrictHostKeyChecking no
ProxyCommand none
ForwardAgent yes
I have added the necessary config options on the bastion server (/etc/ssh/sshd_config):
PermitTunnel yes
AllowTCPForwarding yes
PermitOpen any
TCPKeepAlive yes
But I get the following error:
OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: /etc/ssh/ssh_config line 59: Applying options for www
debug1: Executing proxy command: exec ssh root@bastion -W ****:22
debug1: permanently_set_uid: 0/0
debug1: permanently_drop_suid: 0
debug1: key_load_public: No such file or directory
debug1: identity file ~/.ssh/key.pem type -1
debug1: key_load_public: No such file or directory
debug1: identity file ~/.ssh/key.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
channel 0: open failed: administratively prohibited: open failed
stdio forwarding failed
ssh_exchange_identification: Connection closed by remote host
There is one caveat with this setup in that the target host (www) is in an AWS VPC and is only addressable from the bastion. My assumption is that this shouldn't be an issue since the routing is done from the bastion but that's my last thought as being the issue in this scenario.
Best Answer
That's rather annoying. It turns out the the AWS AMI disables port forwarding in it's authorised_keys! That was a tricky one to debug when everything in the sshd config looks correct.
~/.ssh/authorized_keys