0

I'm setting up syncthing on my qnap nas, and currently at the point where I want to forward the nas' GUI to my laptop, which is on the same network. The GUI is available on the nas on port 8384:

[~] # nc -zv 127.0.0.1 8384
localhost [127.0.0.1] 8384 (?) open

Now, to access this service from the laptop, I use 

ssh -p 50022 -L 9090:127.0.0.1:8384 admin@nasipaddress -v

, as described here (-v added for debugging). Doing this, and then accessing 127.0.0.1:9090 on my laptop's browser, gives me the following error in the terminal (terminal into the nas that was opened by the ssh command above):

[~] # debug1: Connection to port 9090 forwarding to 127.0.0.1 port 8384 requested.
debug1: channel 3: new [direct-tcpip]
channel 3: open failed: administratively prohibited: open failed
debug1: channel 3: free: direct-tcpip: listening port 9090 for 127.0.0.1 port 8384, connect from 127.0.0.1 port 36462 to 127.0.0.1 port 9090, nchannels 4

This message is repeated 10 times, each time incrementing the port 36462 by 2. The administratively prohibited seems to imply that it's some setting, I'd guess on the nas itself, and I'll look into that. I'm also unsure where the port (36462) being used is coming from, though.

In sshd_config, I've set AllowTcpForwarding to yes, and PermitOpen is not present, as per this question, and I've added PermitTunnel yes as per this post. My entire sshd_config:

Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
PermitRootLogin yes
UseDNS no
Subsystem sftp /usr/libexec/sftp-server
AllowTcpForwarding yes
AllowUsers admin
PermitTunnel yes

I have restarted the ssh daemon after changing the config.

I'm using authorised keys, and all lines in .ssh/authorized_keys consist of ssh-rsa l0ngcrpt0grAph1cK3Y descriptive name

edit: I've rewritten the question to reflect new information.

edit: solved!
Turns out, changes to sshd_config on the qnap nas are undone when restarting the ssh daemon. Yeah, I know. So the only way to make sure the line AllowTcpForwarding yes survives, is by adding it another way, like so:

setcfg LOGIN "SSH AllowTcpForwarding" TRUE

This does survive a restart of sshd and a reboot of the system.

ElRudi
  • 123

1 Answers1

0

Are you sure sshd on the NAS has been restarted after editing its sshd_config file? If not, it might be still using the old settings.

The NAS might have a software firewall that answers to connection attempts from 127.0.0.1 to port 8384 with an "Administratively prohibited" ICMP error, or the application itself in port 8384 might be doing the same.

Or the sshd in the NAS device might have been compiled without a port forwarding capability, causing it to respond with "administratively prohibited" to port forwarding attempts, no matter what you put in its sshd_config file.

telcoM
  • 96,466
  • Thanks telcoM for your answer. Yes, I did restart the daemon. Is there a way to check the other 2 leads? – ElRudi Nov 03 '18 at 13:14
  • The result of your nc -zv 127.0.0.1 8384 indicates that for whatever reason, port 8384 is not accepting connections from 127.0.0.1, and so a port forwarding cannot be established at this time. You might have to access the NAS configuration UI in some other way, and then add 127.0.0.1 to some sort of list of allowed management addresses. After that, it looks like your port forwarding set-up might work. – telcoM Nov 03 '18 at 13:26
  • Thanks telcoM - that was a valuable lead that helped me tackle part of the problem. The service on port 8384 now is available. – ElRudi Nov 04 '18 at 16:37