VSCode Remote SSH Connection Failed - Debian

Padd
March 3, 2020
210 views
14 votes
14 Answers

I’m trying to use the Remote-SSH extension to edit files on a Debian server. The SSH connection is established correctly but then I get an error message :

Failed to connect to the remote extension host server

And the log :

[13:19:04.182] Remote server is listening on port 51569
[13:19:04.182] Parsed server configuration: {"agentPort":51569,"osReleaseId":"debian","arch":"x86_64","webUiAccessToken":"","sshAuthSock":"","tmpDir":"/tmp"}
[13:19:04.184] Starting forwarding server. localPort 59828 -> socksPort 59825 -> remotePort 51569
[13:19:04.185] Forwarding server listening on 59828
[13:19:04.185] Waiting for ssh tunnel to be ready
[13:19:04.186] Tunneled remote port 51569 to local port 59828
[13:19:04.186] Resolved "ssh-remote+home-debian.web-data.host" to "127.0.0.1:59828"
[13:19:04.187] [Forwarding server 59828] Got connection 0
[13:19:04.195] ------
[13:19:04.208] [Forwarding server 59828] Got connection 1
[13:19:04.208] [Forwarding server 59828] Got connection 2
[13:19:04.217] Failed to set up socket for dynamic port forward to remote port 51569: Socket closed. Is the remote port correct?
[13:19:04.227] > channel 3: open failed: administratively prohibited: open failed
[13:19:04.235] Failed to set up socket for dynamic port forward to remote port 51569: Socket closed. Is the remote port correct?
[13:19:04.237] Failed to set up socket for dynamic port forward to remote port 51569: Socket closed. Is the remote port correct?
[13:19:04.241] > channel 4: open failed: administratively prohibited: open failed
> channel 5: open failed: administratively prohibited: open failed

I am using the remote ssh connection on several other servers and have never had this error. I have tested a few things gleaned from the web but nothing has worked so far.

Could someone enlighten me on the reason for the problem or on a possible solution ? Thanks !

Answers

- Kenster
- March 3, 2020 at 2:48 pm
- 0 votes
0
```
[13:19:04.227] > channel 3: open failed: administratively prohibited: open failed
```
The remote server that you’re connecting to is refusing to perform port forwards for you. Assuming the remote server is OpenSSH, there are two places on the remote server where this might be configured:
1. The server may be configured not to permit port forwarding through the sshd_config options PermitOpen or DisableForwarding options.
2. If you’re authenticating with an ssh key, forwarding might be disabled through the authorized_keys options PermitOpen or restrict.
Login or Signup to reply.

- jns
- May 21, 2020 at 8:23 am
- 0 votes
0
```
Delete '~/.vscode-server' folder on your server, and try reconnect.
```
Not sure for Debian server, but this worked on Ubuntu 18.04
Login or Signup to reply.

- pek
- July 23, 2020 at 12:51 pm
- 0 votes
0
Changing AllowTcpForwarding from no to yes in sshd_config and restarting sshd works for me.

Tested on Raspbian GNU/Linux 10 (buster)

Login or Signup to reply.

- NicolaiPrebensen
- November 21, 2020 at 5:20 pm
- 0 votes
0
FWIW; I had the same issue and a reboot seemed to solve the problem.

Login or Signup to reply.

- MuhammadTalha
- August 17, 2021 at 12:22 pm
- 0 votes
0
Follow these steps
1. Update the sshd_config file in the host machine.Follow this command
  nano /etc/ssh/sshd_config and then set AllowTcpForwarding to yes
2. Restart ssh on the host machine sudo systemctl restart ssh
3. Detele the .vscode-server in host machine rm -rf /home/<user_name>/.vscode-server
4. Now connect through VS Code again. Hopefully it will work
Login or Signup to reply.

- Nolan
- January 14, 2022 at 5:55 pm
- 0 votes
0
I was getting this error:

Could not establish connection to "workspace": Port forwarding is disabled.

I was getting this error because my remote host vm had been rebuilt causing my known_hosts file on the local system to contain an invalid key. Removing the old entry from known_hosts solved the issue.

Login or Signup to reply.

- congusbongus
- March 4, 2022 at 1:28 am
- 0 votes
0
In my case, the ssh host identification had changed – I was seeing this message when ssh-ing to the remote host:
```
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
```
The fix was to resolve this issue first – see answers to ssh remote host identification has changed for details
```
ssh-keygen -R <host>
```
Login or Signup to reply.

- Sinon
- April 1, 2022 at 5:39 pm
- 0 votes
0
In Brief

You can try to disable SELinux to solve this problem. On Centos 7, the command is as follows:

Temporarily disable
```
> getenforce
  Enforcing
> setenforce 0 # Change from Enforcing to Permissive
> getenforce
  Permissive
```
Diable even after restart
```
> sed -i 's/enforcing$/disabled/g' /etc/selinux/config 
  # Auto close SELinux after reboot
```
Solving Process

I just solved this problem, to help people who are in the same predicament as me, here is my solution on CentOS 7. (Maybe a little different from above answers).

I got the error message below when I tried to connect my server by VScode Remote SSH:
```
00be3d8293b0: start
SSH_AUTH_SOCK====
DISPLAY====
webUiAccessToken====
listeningOn==44128==
osReleaseId==centos==
arch==x86_64==
tmpDir==/run/user/10053==
platform==linux==
unpackResult==success==
didLocalDownload==0==
downloadTime==2533==
installTime==10009==
extInstallTime====
serverStartTime==556==
connectionToken==2256a5b5-f1c8-4290-8446-576967b6a8a0==
00be3d8293b0: end
channel 3: open failed: administratively prohibited: open failed
channel 3: open failed: administratively prohibited: open failed
```
After searching many blogs, I tried to edit /etc/ssh/sshd to ensure the following code appears in the file:
```
PermitOpen any
AllowTcpForwarding yes
```
I restarted the sshd to make sure the file change takes effect. But it didn’t work for me.
```
systemctl restart sshd
(for me here is systemctl restart sshd.init)
```
Then I tried to find some error messages from journalctl -f, and I found that everytime I try to connect server by VScode, the following errors will appear (It happens when Vscode try to use wget):
```
sshd[14761]: error: connect to 127.0.0.1 port 44128 failed: Permission denied
sshd[14761]: error: connect to 127.0.0.1 port 44128 failed: Permission denied
```
Permission denied reminded me that it may be related to SELinux, so I changed the state of SELiunx:
```
> getenforce
  Enforcing
> setenforce 0 # Change from Enforcing to Permissive
> getenforce
  Permissive
```
Then miraculously, the problem was solved.

And to ensure SELinux will not take effect after reboot, I executed the following command:
```
> sed -i 's/enforcing$/disabled/g' /etc/selinux/config 
  # Auto close SELinux after reboot
```
Login or Signup to reply.

- AlexisMurzeau
- April 30, 2022 at 8:23 pm
- 0 votes
0
When having root access to host

Ensure AllowTcpForwarding yes is set in the remote host’s /etc/ssh/sshd_config file.

If you don’t have root access to host

You can use a sshd run as a normal user with a different configuration, allowing vscode to create forwarded ports.

The goal is to have a user controled sshd server started with AllowTcpForwarding yes and then use ssh’s ProxyCommand to connect to this server.

The steps to do this are:
1. Setup a sshd server (https://serverfault.com/a/946877):
  - Create working dir in home
  - generate server keys in the working dir
  - generate basic config file with pid file located in the working dir
  - launch SSH daemon
  - If you get errors about PAM, you can try with UsePAM no
```
mkdir ${HOME}/custom_ssh
ssh-keygen -f ${HOME}/custom_ssh/ssh_host_rsa_key -N '' -t rsa
ssh-keygen -f ${HOME}/custom_ssh/ssh_host_dsa_key -N '' -t dsa

cat << EOF > ${HOME}/custom_ssh/sshd_config
Port 2222
HostKey ${HOME}/custom_ssh/ssh_host_rsa_key
HostKey ${HOME}/custom_ssh/ssh_host_dsa_key
AuthorizedKeysFile  .ssh/authorized_keys
ChallengeResponseAuthentication no
PubkeyAuthentication yes
PasswordAuthentication yes
UsePAM yes
X11Forwarding yes
Subsystem   sftp    /usr/lib/ssh/sftp-server
PidFile ${HOME}/custom_ssh/sshd.pid"
EOF

/usr/bin/sshd -f ${HOME}/custom_ssh/sshd_config
echo "----- Process ID : ${HOME}/custom_ssh/sshd.pid -------"
```
1. On your client PC, configure a ssh host in ~/.ssh/config:
```
Host RemoteHost
    HostName 127.0.0.1
    Port 2222
    User user
    ForwardAgent yes
    ForwardX11 yes
    ProxyCommand ssh user@RemoteHostIp netcat %h %p
```
1. Use RemoteHost host in vscode
The resulting ssh path is like this:
```
interactive ssh <= stdio => ProxyCommand's ssh <= network => JumpHost's sshd <= stdio => netcat <= network => RemoteHost
```
See also: https://www.cyberciti.biz/faq/linux-unix-ssh-proxycommand-passing-through-one-host-gateway-server/
Login or Signup to reply.

- edupo
- August 26, 2022 at 3:21 pm
- 0 votes
0
In my case it was a VM running on my local and I bring it down and up with Vagrant. This makes the identification to change so often and therefore just removing the host entry from known_hosts in my localhost made the trick.

Login or Signup to reply.

- GaborSzarnyas
- September 3, 2022 at 12:00 pm
- 0 votes
0
Assuming you have no root access, here is a solution based on Alexis Murzeau’s answer, which works in environments where there is a server in a cluster but its users lack root access and AllowTcpForwarding is disabled.

This solution involves creating an SSH tunnel through a public cloud virtual machine. Therefore, please only use it if you understand its security implications and consider additional security measures (e.g. limiting the IP ranges that can access the cloud instance).

As prerequisites for this solution, you must be able to:
- Start a cloud instance in AWS EC2, GCP, Azure, etc. (any small instance, e.g. an EC2 free-tier instance, works).
- Start an SSHD process on your cluster machine without root access.
- Open an SSH tunnel from your cluster machine. (Certain SELinux rules can prevent you from doing this.)
The following is an overview figure with your local computer (where the VS Code desktop application runs),
the cloud instance (used as a proxy), and
the cluster machine (where you’d like to run VS Code server but cannot enable AllowTcpForwarding for the default SSH process).

The steps to configure this setup are the following. Values between guillemets, e.g. «cloud_instance_username», must be substituted according to your configuration.
1. Start a cloud instance (e.g. with Ubuntu 22.04).
2. SSH into the cloud instance and configure its SSHD to enable AllowTcpForwarding:
```
sudo vim /etc/ssh/sshd_config
```
  Uncomment the line: AllowTcpForwarding yes
  
  Restart the SSH service with:
```
sudo service sshd restart
```
3. Add the public SSH keys of your local computer and of the cluster machine to the ~/.ssh/authorized_keys file on the cloud machine.
4. Setup an SSHD server on the cluster machine:
```
mkdir ${HOME}/custom_ssh
ssh-keygen -f ${HOME}/custom_ssh/ssh_host_rsa_key -N '' -t rsa
ssh-keygen -f ${HOME}/custom_ssh/ssh_host_dsa_key -N '' -t dsa

cat << EOF > ${HOME}/custom_ssh/sshd_config
Port 2222
HostKey ${HOME}/custom_ssh/ssh_host_rsa_key
HostKey ${HOME}/custom_ssh/ssh_host_dsa_key
AuthorizedKeysFile  .ssh/authorized_keys
ChallengeResponseAuthentication no
PubkeyAuthentication yes
PasswordAuthentication yes
UsePAM yes
X11Forwarding yes
Subsystem   sftp    /usr/lib/ssh/sftp-server
PidFile ${HOME}/custom_ssh/sshd.pid"
EOF

/usr/bin/sshd -f ${HOME}/custom_ssh/sshd_config
echo "Process ID file: ${HOME}/custom_ssh/sshd.pid"
echo "Process ID: $(cat ${HOME}/custom_ssh/sshd.pid)"
```
  If you want to kill this SSHD server later, run:
```
kill $(cat ${HOME}/custom_ssh/sshd.pid)
```
5. On the cluster machine, create a reverse SSH tunnel to the cloud instance. Note that this command stays in the foreground. Use tmux to keep the session open or the -f flag to run it in the background.
```
ssh -R 8081:localhost:2222 
  «cloud_instance_username»@«cloud_instance_ip_address»
```
6. On the local machine, test the access with:
```
ssh -J 
  «cloud_instance_username»@«cloud_instance_ip_address» 
  «cluster_machine_username»@localhost -p 8081
```
7. If this works, edit the ~/.ssh/config file on your local computer:
```
Host proxy_cloud_instance
    HostName «cloud_instance_ip_address»
    User «cloud_instance_username»

Host vscode_ssh_host
    HostName localhost
    User «cluster_machine_username»
    Port 8081
    ProxyJump proxy_cloud_instance
```
8. Test the SSH configuration by issuing:
```
ssh vscode_ssh_host
```
9. Try starting a remote SSH session in VS Code to vscode_ssh_host.
Login or Signup to reply.

- Bambam
- September 6, 2022 at 3:41 pm
- 0 votes
0
"I’m trying to use the Remote-SSH extension to edit files on a Debian server"

Before this answer gets massively downvoted, it should be recognised that VS Code supports far simpler ways of editting files on remote servers and I think this answer will help some people. IMHO it is reasonable to answer a question "how do I use X to do Y" to at least suggest there might be a better X.

IF you only want to edit files on a remote linux server then a VS Code extension such as "ftp-simple" only requires you have logon credentials to the server and an sftp server is running there. This is a traditional low-impact way of providing the remote filesystem semantics an editor requires (browse file system, get file, save file) which can be fairly seamlessly integrated into the usual editor workflow.

remote-ssh is intended to be far more feature rich, requiring an application-specific protocol over an ssh tunnel between ‘VS Code’ executables at both ends, which itself requires VS Code to bootstrap the installation of VS Code ‘server’ code on the remote server for the connection to work. If you require features over-and-above the basic file-io necessary for browsing and editting files (for example remote testing, compilation and debugging) then remote-ssh will be a good choice.

Login or Signup to reply.

- Oleme
- December 27, 2022 at 7:21 pm
- 0 votes
0
just allow tcpforwarding from NO to YES and run this : sudo /etc/init.d/ssh restart

Work perfect for me
Good luck !

Login or Signup to reply.

- steamfood
- February 20, 2023 at 2:57 am
- 0 votes
0
None of the above solutions work for me. In my case, I have an AWS EC2 dynamically created every day with the same public DNS. The SSH Remote only works for the first time and not thereafter. After deleting the known host file sudo rm ~/.ssh/known_hosts, I was able to connect again.

Login or Signup to reply.