SSH forwarding lets you tunnel traffic through an SSH connection, but when it fails, you might see errors like:
$ ssh -L 8080:localhost:80 user@server
channel 0: open failed: administratively prohibited: open failedOr for agent forwarding:
$ ssh -A user@server
Warning: agent forwarding requested, but agent not runningOr X11 forwarding:
$ ssh -X user@server
X11 forwarding request failed on channel 0Let's diagnose and fix each forwarding type.
Port Forwarding (Local)
Local port forwarding creates a tunnel from your machine to a remote destination:
ssh -L local_port:remote_host:remote_port user@serverDiagnose Local Forwarding Failure
Run with verbose output:
ssh -vv -L 8080:localhost:80 user@serverLook for:
debug1: Local connections to LOCALHOST:8080 forwarded to remote address localhost:80
debug1: channel 0: new [port-forward]
debug1: channel 0: open failed: administratively prohibitedCheck GatewayPorts Setting
By default, SSH only binds forwarded ports to localhost. If you need external access:
ssh -L 8080:localhost:80 -o GatewayPorts=yes user@serverOr on the server side, check if AllowTcpForwarding is enabled:
sudo grep AllowTcpForwarding /etc/ssh/sshd_configShould be:
AllowTcpForwarding yesIf it's set to no:
sudo sed -i 's/^AllowTcpForwarding.*/AllowTcpForwarding yes/' /etc/ssh/sshd_config
sudo systemctl restart sshdVerify Port Binding
Check if the port is actually bound:
netstat -tlnp | grep 8080Should show:
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 12345/sshIf nothing is bound, the forwarding failed to start.
Check Firewall on Local Machine
Local firewall might block the forwarded port:
sudo iptables -L INPUT -n | grep 8080Allow the port:
sudo iptables -I INPUT -p tcp --dport 8080 -j ACCEPTRemote Port Forwarding
Remote forwarding (-R) binds a port on the server that tunnels back to your machine:
ssh -R 9000:localhost:3000 user@serverDiagnose Remote Forwarding Failure
Check if GatewayPorts is needed on the server:
ssh -R 9000:localhost:3000 -o GatewayPorts=yes user@serverThe server needs to allow binding to non-localhost addresses:
# On server's sshd_config
GatewayPorts clientspecifiedCheck Server Firewall
The remote port must be accessible on the server:
# On server
sudo iptables -L INPUT -n | grep 9000Allow it:
sudo iptables -I INPUT -p tcp --dport 9000 -j ACCEPTDynamic Port Forwarding (SOCKS Proxy)
Create a SOCKS proxy:
ssh -D 1080 user@serverTest the proxy:
curl --socks5 localhost:1080 http://example.comFix SOCKS Forwarding Issues
If it fails, check:
ssh -vv -D 1080 user@server 2>&1 | grep "channel"Verify the port is bound:
netstat -tlnp | grep 1080Agent Forwarding
Agent forwarding lets you use your local SSH keys on a remote server:
ssh -A user@serverCheck if Agent is Running Locally
ssh-add -lShould list your keys. If it fails:
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsaCheck Server PermitOpen
The server might restrict forwarding destinations:
sudo grep PermitOpen /etc/ssh/sshd_configIf set to specific hosts:
PermitOpen localhost:80 localhost:443You can only forward to those destinations. To allow all:
sudo sed -i 's/^PermitOpen.*/PermitOpen any/' /etc/ssh/sshd_config
sudo systemctl restart sshdCheck AllowAgentForwarding
On the server:
sudo grep AllowAgentForwarding /etc/ssh/sshd_configShould be:
AllowAgentForwarding yesIf missing or no:
echo "AllowAgentForwarding yes" | sudo tee -a /etc/ssh/sshd_config
sudo systemctl restart sshdVerify Agent Forwarding Works
On the remote server after connecting with -A:
echo $SSH_AUTH_SOCKShould show a socket path like:
/tmp/ssh-XXXXXXXX/agent.12345Test by SSH-ing to another host from the server:
ssh user@another-serverThis should use your forwarded agent credentials.
X11 Forwarding
Forward GUI applications:
ssh -X user@serverOr with trusted mode (less secure):
ssh -Y user@serverCheck X11Forwarding Setting
On the server:
sudo grep X11Forwarding /etc/ssh/sshd_configShould be:
X11Forwarding yesEnable it:
sudo sed -i 's/^X11Forwarding.*/X11Forwarding yes/' /etc/ssh/sshd_config
sudo systemctl restart sshdCheck xauth Installation
X11 forwarding requires xauth:
# On server
which xauthInstall if missing:
sudo apt install xauth # Debian/Ubuntu
sudo yum install xauth # RHEL/CentOSVerify DISPLAY Variable
On the remote server after connecting:
echo $DISPLAYShould show something like:
localhost:10.0Test with a simple X program:
xclockMultiple Forwardings
You can chain multiple forwardings:
ssh -L 8080:localhost:80 -L 3306:db-server:3306 -D 1080 user@serverDebug Multiple Forwardings
Check each forwarding individually:
ssh -vv -L 8080:localhost:80 user@server 2>&1 | grep "channel 0"
ssh -vv -L 3306:db-server:3306 user@server 2>&1 | grep "channel 1"Forwarding Through Jump Host
Forward through a bastion/jump host:
ssh -L 8080:internal-server:80 -J jumphost user@jumphostOr using ProxyJump:
ssh -L 8080:internal-server:80 -o ProxyJump=jumphost user@internal-serverCheck Jump Host Forwarding
The jump host must allow port forwarding:
# On jump host
sudo grep AllowTcpForwarding /etc/ssh/sshd_configConnection Timeout Issues
Forwarded connections might timeout if the destination is unreachable:
ssh -L 8080:unreachable-server:80 user@serverTest connectivity from the server:
# On server
curl -v http://unreachable-server:80
nc -zv unreachable-server 80Port Already in Use
If the local port is taken:
bind: Address already in use
channel_setup_fwd_listener_tcpip: cannot listen to port: 8080Check what's using the port:
sudo lsof -i :8080
sudo netstat -tlnp | grep 8080Choose a different port:
ssh -L 8081:localhost:80 user@serverResolution Checklist
- 1.Check
AllowTcpForwarding yeson server - 2.Check
AllowAgentForwarding yesfor agent forwarding - 3.Check
X11Forwarding yesfor X11 forwarding - 4.Use
GatewayPorts=yesfor external access - 5.Verify port isn't blocked by firewall
- 6.Verify destination is reachable from server
- 7.Ensure agent is running locally (
ssh-add -l) - 8.Install
xauthfor X11 forwarding
Forwarding issues are usually server-side configuration restrictions. Start by checking the sshd_config settings for the specific forwarding type you're trying to use.