Mac os x open failed administratively prohibited open failed

Richlv 2, 1 1 gold badge 11 11 silver badges 15 15 bronze badges. Is this the case? If caused by mis-typing a domain and DNS resolution fails, the connection may freeze until it times out. AllowTcpForwarding no. Harikrishnan Harikrishnan 1 1 gold badge 10 10 silver badges 27 27 bronze badges.

All replies

Hashbrown Hashbrown 3 3 bronze badges. This does not answer the question.

SSH Tunnel setup on Mac OS X

The question was how to solve the problem, not to hide the error message. Like I said, it actually doesn't break anything most of the time, so it's okay to hide.

ssh tunneling and "channel 2: open failed: administratively prohibited: open failed"

Have you ever tried to use ssh when every so often a giant string is vomited all over your session's interactive shell? This solves that, which is why it's here. Sign up or log in Sign up using Google. Sign up using Facebook. I have not had this problem. However, I think I did have to open a port in the firewall, but I don't recall.

How to solve it

It has been a while since I needed this. Most OpenSSH-based sshd servers now come wiht port-forwarding disabled by default i. No doubt this is to prevent potential abuse or unintended side-effects. BTW, just a common reminder to anyone enabling SSH port-forwarding on their servers: While SSH with tunneling is a great tool for securing plaintext protocols FTP, POP, IMAP, etc and incredibly useful for doing remote admin, just remember that if you, the admin can do it this, then generally any user on your server whom you give SSH-access to can also see hosts on your internal network.

And since all traffic is tunneled inside an SSH session, the content of these remote connections effectively bypasses any firewalls or content filters that are in place.

A similar problem

This leaves your server open to a class of exploits known as 'port bouncing'. Basically this involves an unauthorized party which could be inside or outside your network using your SSH server to 'bounce' their traffic across your firewall for them. I only had to do this on my server which is running Panther server , not on my client. Also, thanks for pointing out the security ramifications of allowing port forwarding. Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.

My server only has accounts for a few trusted friends, and they have limited access rights, so I'm not TOO worried about any of them taking advantage of me or my server. What I found odd is that I did have to explicitly allow port forwarding, even though the man page says it's allowed by default.

Can't Connect to Remote Mac Using SSH… - Apple Community

Maybe Apple changed the defaults, as I know they've done for other things as well. Lost your password? Powered by the Parse.


  • how to open documents folder on mac.
  • Your Answer;
  • Gentoo Forums :: View topic - sshd dynamic forwarding - channel 6:open failed.
  • Re: SSH tunnel all traffic to remote LAN: administratively prohibited.
  • SSH tunnel all traffic to remote LAN: administratively prohibited.

SSH Tunneling with Panther can sometimes be tricky. I was trying, without success, to get this hint working with my personal mail server, which is running on OS X Panther Server. Anyway, no matter what I did, I kept seeing the error open failed: administratively prohibited: open failed. Extensive Googling did not find a solution, except for one reference which finally turned out to be the correct solution for me.

Most of my Googling talked about firewalls or incorrect host or IP addresses or etc. But here's the tip that worked for me. I added the following line: AllowTcpForwarding yes After restarting my server, following the directions in the above hint worked like a charm, and I was able to retrieve and send mail from my laptop via SSH Tunnels. I no longer have to worry about anyone sniffing for my password when using an open network at a coffee shop or whatever. Furthermore, other references to this option indicated that yes is the default value.

I hope this hint helps save someone the time and aggravation that I spent. The following comments are owned by whoever posted them. This site is not responsible for what they say. I might be doing something wrong You win, sir. Apparently for some reason when I changed 'localhost' to ' Aww, I was really hoping someone would know. Originally posted by DarwinKS: I can duplicate those errors exactly by having Firefox try to load the address "0.

Posted: Mon Jul 30, pm.