ssh "administratively prohibited" errors linked to name resolution :-(

I was having some difficulty getting my sshd and port forwarding on my
Linux server to work; I was receiving "administratively prohibited"
errors. Something gave me the sense that name resolution was the
issue, so I checked my local caching DNS and I have name resolution for
the host I want to forward to and my /etc/resolv.conf points to this
caching DNS.

So I have:

$ nslookup foo.local
Server: 192.168.10.2
Address: 192.168.10.2#53

Name: foo.local
Address: 192.168.10.3

/etc/resolve.conf:

domain local
search local
nameserver 192.168.10.2
nameserver 192.168.10.1
nameserver 68.8.7.100

And just for good measure in /etc/ssh/sshd_config, I have "UseDNS yes"
even though that is supposed to be a default. (And restarted sshd).

But when I try to do this from another machine:

$ ssh -l foobar -L 8080:foo.local:8080 server

and then set my browser to use an HTTP proxy of: http://localhost:8080
(and there is a proxy server running on foo.local or 192.16.10.3 at
port 8080)... I get "administratively prohibited" in my ssh shell
window on server, and a long timeout where the browser just sits until
it times out. (server = 192.168.10.2 where the DNS caching server
sits.)

When I go into server:/etc/hosts and add an entry for "192.168.10.3
foo.local", then everything works!! So it seems like sshd is NOT doing
DNS lookups for name resolution. Anyone seen anything like this
before? I mean, having an entry in server:/etc/hosts is not really
desirable, considering my DNS lookup is working (seemingly according to
nslookup above), but... It does solve the problem. It just looks like
sshd isn't doing lookups after all for some reason...? :-(

/usr/ceo

/usr/ceo wrote:
> I was having some difficulty getting my sshd and port forwarding on my
> Linux server to work; I was receiving "administratively prohibited"
> errors. Something gave me the sense that name resolution was the
> issue, so I checked my local caching DNS and I have name resolution for
> the host I want to forward to and my /etc/resolv.conf points to this
> caching DNS.
>
> So I have:
>
> $ nslookup foo.local
> Server: 192.168.10.2
> Address: 192.168.10.2#53
>
> Name: foo.local
> Address: 192.168.10.3
>
> /etc/resolve.conf:
>
> domain local
> search local
> nameserver 192.168.10.2
> nameserver 192.168.10.1
> nameserver 68.8.7.100
>
> And just for good measure in /etc/ssh/sshd_config, I have "UseDNS yes"
> even though that is supposed to be a default. (And restarted sshd).
>
> But when I try to do this from another machine:
>
> $ ssh -l foobar -L 8080:foo.local:8080 server
>
> and then set my browser to use an HTTP proxy of: http://localhost:8080
> (and there is a proxy server running on foo.local or 192.16.10.3 at
> port 8080)... I get "administratively prohibited" in my ssh shell
> window on server, and a long timeout where the browser just sits until
> it times out. (server = 192.168.10.2 where the DNS caching server
> sits.)
>
> When I go into server:/etc/hosts and add an entry for "192.168.10.3
> foo.local", then everything works!! So it seems like sshd is NOT doing
> DNS lookups for name resolution.

Nonsense.
Your "server" is not using its own DNS, hence has no clue who he is.


J.

Jeroen Geilman wrote:
> /usr/ceo wrote:
> > I was having some difficulty getting my sshd and port forwarding on my
> > Linux server to work; I was receiving "administratively prohibited"
> > errors. Something gave me the sense that name resolution was the
> > issue, so I checked my local caching DNS and I have name resolution for
> > the host I want to forward to and my /etc/resolv.conf points to this
> > caching DNS.
> >
> > So I have:
> >
> > $ nslookup foo.local
> > Server: 192.168.10.2
> > Address: 192.168.10.2#53
> >
> > Name: foo.local
> > Address: 192.168.10.3
> >
> > /etc/resolve.conf:
> >
> > domain local
> > search local
> > nameserver 192.168.10.2
> > nameserver 192.168.10.1
> > nameserver 68.8.7.100
> >
> > And just for good measure in /etc/ssh/sshd_config, I have "UseDNS yes"
> > even though that is supposed to be a default. (And restarted sshd).
> >
> > But when I try to do this from another machine:
> >
> > $ ssh -l foobar -L 8080:foo.local:8080 server
> >
> > and then set my browser to use an HTTP proxy of: http://localhost:8080
> > (and there is a proxy server running on foo.local or 192.16.10.3 at
> > port 8080)... I get "administratively prohibited" in my ssh shell
> > window on server, and a long timeout where the browser just sits until
> > it times out. (server = 192.168.10.2 where the DNS caching server
> > sits.)
> >
> > When I go into server:/etc/hosts and add an entry for "192.168.10.3
> > foo.local", then everything works!! So it seems like sshd is NOT doing
> > DNS lookups for name resolution.
>
> Nonsense.
> Your "server" is not using its own DNS, hence has no clue who he is.

My experience -- which could be a mirage -- is that when local port
forwrding is used, the server handling the port forwarding does the
name resolution. So the port forwarding again is:

localhost: Could be ANY IP, but we'll say 10.40.50.60
server: 24.15.16.80 (WAN address), 192.168.10.2 (LAN address)
foo.local: 192.168.10.3

Using ssh command: ssh -L 8080:foo.local:8080 24.15.16.80

Traffic goes:

localhost:22(8080 tunnel) -> server(WAN):22(8080 tunnel) -> server(LAN)
<does name resolution of foo.local> -> foo.local:8080

When server(LAN) has a host entry for foo.local, it works. When
server(LAN) does NOT have a host file entry for foo.local, it does NOT
work. And again, as far as I know server(LAN) does the look up for
address "foo.local" specified in the -L option for ssh.

/usr/ceo