Channel 5: Open Failed: Administratively Prohibited

From Jimbojw.com

Jump to: navigation, search

When I'm out-and-about using others' wireless services, I protect my packets by setting up a dynamic SOCKS 5 proxy over SSH. Usually everything works find, but lately I've been seeing some issues.

A full description of how to set up such a proxy server is outside the scope of this article, but for the sake of background info, the command I use from the client-side looks something like this: 

ssh -D 23456 my-user@my-domain.com

The above uses the Dynamic proxy option (-D) to create a SOCKS 5 proxy on local port 23456.

Every so often, when using a browser which has been configured to use the tunnel, a request would fail and I'd see an error like the following in the terminal from which I had launched the ssh command: 

channel X: open failed: administratively prohibited: open failed

Where X was an integer value, usually between 3 and 5.

After much confusion, I finally tracked down the issue - it has to do with domain resolution. My OpenSSH setup "administratively prohibits" using the dynamic proxy to resolve computer names lacking top-level domain extensions. So for example, if I tried to visit http://randomsite.com/, the request would succeed.

However, a request to http://randomstring/ would trigger the error since my browser (which is using the dynamic proxy) is trying to reach the computer named "randomstring".

Note that this doesn't happen when randomstring is localhost, since the browser is smart enough to blacklist this as a domain which requires DNS lookup.

It turns out that the way I was causing this was by relying on Firefox's automatic "I feel lucky" option when you type a non-url into the address bar. I would type "randomsite" expecting to be taken to "http://www.randomsite.com". However, since I am using a proxy, this was not utilizing Google, and instead attempting to resolve to "http://randomsite/" - triggering the error in the terminal as described above.

And that is a seemingly trivial point that should not be overlooked:

When using the "Manual proxy configuration" option in Mozialla Firefox, it becomes the proxy's responsibility to resolve non-url requests in the address bar. They are not resolved by Google's "I feel lucky" facility.

The unsettling thing was that when this occurs, in the browser there is no visible feedback. Nothing at all appears to happen. Typically in Firefox, when a server can't be reached, you get an informative message stating so in the content of the browser tab. In this case though, all you see is a blank white page with "(Unknown)" for a title.

In any case, this is what was causing my problem - if you're seeing a similar "administratively prohibited" error, it may or may not be this. Your mileage may vary. Good luck!

Got something to say?

Leave a comment
Sorry, comments are disabled.

or, read what others have said...

Retrieved from "http://www.jimbojw.com/wiki/index.php?title=Channel_5:_Open_Failed:_Administratively_Prohibited"