I'm attempting to set up a SOCKS proxy via ssh with a user in a chroot jail. After creating the tunnel, connection attempts result in:
channel 2: open failed: administratively prohibited: open failed
The client side sets up the tunnel with:
ssh -i id_rsa user123@10.0.0.1 -D 1080 -N
The server's sshd_config file:
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
Match User user123
ChrootDirectory /opt/download
#X11Forwarding no
AllowTcpForwarding yes
PermitOpen any
ForceCommand internal-sftp
If I comment out the ChrootDirectory config for the user the tunnel works. If I use -L port forwarding on the client with ChrootDirectory active it also works.
I'm assuming this has something to do with utilities needed for a SOCKS proxy that aren't visible from the chroot environment but I was unable to find documentation relating to that. The user's chroot directory currently contains only files that are meant to be retrieved via sftp pulls.
What needs to change to make this work?
Server OS is CentOS 7.8 with OpenSSH 7.4
This question doesn't apply as it relates to the -L option and I already have the recommended settings in sshd_config.
