I have a RHEL "dev" server running Ansible behind a jumpbox.
I need to connect to the RHEL server from a Windows 10 machine using the VS Code Remote - SSH extension for Ansible development work. I am using Git Bash for SSH/*nix stuff.
The jumpbox has SSH port forwarding disabled - which as far as I know, will remain disabled.
I have copied the agent-forwarding public key to the jumpbox and the RHEL server. So, I am able to connect to the RHEL server via the jumpbox using SSH Agent Forwarding.
Here is what my SSH config file looks like.
Host *
ForwardAgent yes
# Jump box
Host jump-box
HostName xx.xx.xx.xx
User test_user
IdentityFile ~/.ssh/agent-forwarding
# RHEL server
Host rhel-dev
HostName xx.xx.xx.xx
User test_user
IdentityFile ~/.ssh/agent-forwarding
Using this SSH config, from VS Code, I use Remote-SSH: Connect to Host... and select rhel-dev.
On my first attempt, rhel-dev downloaded the binaries for vscode-server and installed it.
However, when trying to connect to this server from VS Code, I get the following error - channel 3: open failed: administratively prohibited: open failed.
Here is the full log
Running remote connection script
Acquiring lock on /home/test_user/.vscode-server/bin/2213894ea0415ee8c85c5eea0d0ff81ecc191529/vscode-remote-lock.2213894ea0415ee8c85c5eea0d0ff81ecc191529Found existing installation at /home/test_user/.vscode-server/bin/2213894ea0415ee8c85c5eea0d0ff81ecc191529...
Found running server...
*
* Reminder: You may only use this software with Visual Studio family products,
* as described in the license (https://go.microsoft.com/fwlink/?linkid=2077057)
*
Checking server status on port 42200 with wget
cc11e6e5-2b75-47ea-a727-62f738a7b5d9: start
sshAuthSock====
agentPort==42200==
webViewServerPort==39212==
osReleaseId==rhel==
arch==x86_64==
webUiAccessToken====
cc11e6e5-2b75-47ea-a727-62f738a7b5d9: end
channel 3: open failed: administratively prohibited: open failed
channel 4: open failed: administratively prohibited: open failed
channel 5: open failed: administratively prohibited: open failed
I am not sure what the channel 5: open failed: administratively prohibited: open failed is about. Based on my research, some have implied this is related to the fact that SSH Port forwarding is disabled on the jumpbox, while others aren't convinced.
Networking is not my strong suite. I would love to hear from the community on what the issue might be.
VSCode works with the OpenSSH config file, and that features a lot.
A common misconception is that you need AgentForwarding when using a jump box.
If you use ProxyJump instead of ProxyCommand in your ssh config file then you don't need to forward the agent, and that safe-guards from ssh-mitm attacks.
Security could be improved by using different keys for the jump box and the servers behind it.
HashKnownHosts yes
StrictHostKeyChecking accept-new
CheckHostIP yes
# Jump box
Host jump-box
HostName xx.xx.xx.xx
User test_user
IdentityFile ~/.ssh/id_xxx
# on-prem servers
Host 10.*
ProxyJump jump-box
User test_user
IdentityFile ~/.ssh/id_xyz
To edit remote files with VSCode's Remote-SSH extension, the jump-box needs to have TcpForwarding yes in /etc/ssh/sshd_config, if not you'll see this error if you click details on connecting:
ERROR: TCP port forwarding appears to be disabled on the remote host. Ensure that the sshd_config has "AllowTcpForwarding yes". Contact your system administrator if needed.
Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.
When you contact your system administrator, you can suggest configuring the jump-box to be exclusively usable for jumping by having this in /etc/ssh/sshd_config:
Match User test_user
TcpForwarding yes
PermitTTY no
X11Forwarding no
PermitTunnel no
GatewayPorts no
ForceCommand /usr/sbin/nologin