[Chrootssh-users] SSH Port forwarding 'administratively denied' for chroot'ed users

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
	I have a few users who had 'VPN' accounts, using SSH port forwarding as the means. In the past when
we did not had chrootssh being deployed, this worked fine.

	Now that I had thrown the users into a chroot'ed jail, which is good since i locked down their
usage of commands and 'cd' capabilities...they had errors utilizing forwarded ports e.g.:

Is this a limitation of being chroot'ed? If so, how can I work around the issues? I had stopped
utilizing chroot at the moment, since my users need to use port forwarding.

thanks and regards,
James Tan

[Failed after being chroot'ed]
...
bug1: Authentication succeeded (password).
debug1: Connections to local port 8080 forwarded to remote address localhost:8080
debug1: Local forwarding listening on ::1 port 8080.
debug1: fd 4 setting O_NONBLOCK
debug2: fd 4 is O_NONBLOCK
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 8080.
debug1: fd 5 setting O_NONBLOCK
debug2: fd 5 is O_NONBLOCK
debug1: channel 1: new [port listener]
debug1: Entering interactive session.
debug1: Connection to port 8080 forwarding to localhost port 8080 requested.
debug2: fd 6 setting TCP_NODELAY
debug2: fd 6 is O_NONBLOCK
debug2: fd 6 is O_NONBLOCK
debug1: channel 2: new [direct-tcpip]
channel 2: open failed: administratively prohibited: open failed
debug1: channel_free: channel 2: direct-tcpip: listening port 8080 for localhost port 8080, connect
from ::1 port 50976, nchannels 3
debug3: channel_free: status: The following connections are open:\015
~  #2 direct-tcpip: listening port 8080 for localhost port 8080, connect from ::1 port 50976 (t3 r-1
i0/0 o0/0 fd 6/6)\015

[Passed if not chroot'ed]
bug1: Connections to local port 8080 forwarded to remote address localhost:8080
debug1: Local forwarding listening on ::1 port 8080.
debug1: fd 4 setting O_NONBLOCK
debug2: fd 4 is O_NONBLOCK
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 8080.
debug1: fd 5 setting O_NONBLOCK
debug2: fd 5 is O_NONBLOCK
debug1: channel 1: new [port listener]
debug1: Entering interactive session.
debug1: Connection to port 8080 forwarding to localhost port 8080 requested.
debug2: fd 6 setting TCP_NODELAY
debug2: fd 6 is O_NONBLOCK
debug2: fd 6 is O_NONBLOCK
debug1: channel 2: new [direct-tcpip]
debug1: channel 2: open confirm rwindow 131072 rmax 32768
debug1: channel 2: rcvd eof
debug1: channel 2: output open -> drain
debug1: channel 2: obuf empty
debug1: channel 2: close_write
debug1: channel 2: output drain -> closed
debug1: channel 2: read<=0 rfd 6 len 0
debug1: channel 2: read failed
debug1: channel 2: close_read
debug1: channel 2: input open -> drain
debug1: channel 2: ibuf empty
debug1: channel 2: send eof
debug1: channel 2: input drain -> closed
debug1: channel 2: send close
debug3: channel 2: will not send data after close
debug1: channel 2: rcvd close
debug3: channel 2: will not send data after close
debug1: channel 2: is dead
debug1: channel 2: garbage collecting
debug1: channel_free: channel 2: direct-tcpip: listening port 8080 for localhost port 8080, connect
from ::1 port 50991, nchannels 3
debug3: channel_free: status: The following connections are open:\015
~  #2 direct-tcpip: listening port 8080 for localhost port 8080, connect from ::1 port 50991 (t4 r0
i3/0 o3/0 fd 6/6)\015

debug3: channel_close_fds: channel 2: r 6 w 6 e -1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5rc1 (Darwin)

iD8DBQFAxoTj9hZWeFN9+rIRAkKfAJ9HH6f/zmqDLWVRnC8tAYM8BKW1/QCgmoK0
YMTdtvfERZDTiMFsBwAagGk=
=rQVP
-----END PGP SIGNATURE-----