VSCode Remote SSH Connection Failed

Question

I'm trying to use the Remote-SSH extension to edit files on a Debian server. The SSH connection is established correctly but then I get an error message :

Failed to connect to the remote extension host server

And the log :

[13:19:04.182] Remote server is listening on port 51569
[13:19:04.182] Parsed server configuration: {"agentPort":51569,"osReleaseId":"debian","arch":"x86_64","webUiAccessToken":"","sshAuthSock":"","tmpDir":"/tmp"}
[13:19:04.184] Starting forwarding server. localPort 59828 -> socksPort 59825 -> remotePort 51569
[13:19:04.185] Forwarding server listening on 59828
[13:19:04.185] Waiting for ssh tunnel to be ready
[13:19:04.186] Tunneled remote port 51569 to local port 59828
[13:19:04.186] Resolved "ssh-remote+home-debian.web-data.host" to "127.0.0.1:59828"
[13:19:04.187] [Forwarding server 59828] Got connection 0
[13:19:04.195] ------
[13:19:04.208] [Forwarding server 59828] Got connection 1
[13:19:04.208] [Forwarding server 59828] Got connection 2
[13:19:04.217] Failed to set up socket for dynamic port forward to remote port 51569: Socket closed. Is the remote port correct?
[13:19:04.227] > channel 3: open failed: administratively prohibited: open failed
[13:19:04.235] Failed to set up socket for dynamic port forward to remote port 51569: Socket closed. Is the remote port correct?
[13:19:04.237] Failed to set up socket for dynamic port forward to remote port 51569: Socket closed. Is the remote port correct?
[13:19:04.241] > channel 4: open failed: administratively prohibited: open failed
> channel 5: open failed: administratively prohibited: open failed

I am using the remote ssh connection on several other servers and have never had this error. I have tested a few things gleaned from the web but nothing has worked so far.

Could someone enlighten me on the reason for the problem or on a possible solution ? Thanks !

Answer 1

Changing AllowTcpForwarding from no to yes in sshd_config and restarting sshd works for me.

Tested on Raspbian GNU/Linux 10 (buster)

Answer 2

Delete '~/.vscode-server' folder on your server, and try reconnect.

Not sure for Debian server, but this worked on Ubuntu 18.04

Answer 3

Follow these steps

1. Update the sshd_config file in the host machine.Follow this command nano /etc/ssh/sshd_config and then set AllowTcpForwarding to yes
2. Restart ssh on the host machine sudo systemctl restart ssh
3. Detele the .vscode-server in host machine rm -rf /home/<user_name>/.vscode-server
4. Now connect through VS Code again. Hopefully it will work

Answer 4

[13:19:04.227] > channel 3: open failed: administratively prohibited: open failed

The remote server that you're connecting to is refusing to perform port forwards for you. Assuming the remote server is OpenSSH, there are two places on the remote server where this might be configured:

1. The server may be configured not to permit port forwarding through the sshd_config options PermitOpen or DisableForwarding options.
2. If you're authenticating with an ssh key, forwarding might be disabled through the authorized_keys options PermitOpen or restrict.

Answer 5

FWIW; I had the same issue and a reboot seemed to solve the problem.

Answer 6

I was getting this error:

Could not establish connection to "workspace": Port forwarding is disabled.

I was getting this error because my remote host vm had been rebuilt causing my known_hosts file on the local system to contain an invalid key. Removing the old entry from known_hosts solved the issue.

Answer 7

In my case, the ssh host identification had changed - I was seeing this message when ssh-ing to the remote host:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

The fix was to resolve this issue first - see answers to ssh remote host identification has changed for details

ssh-keygen -R <host>

Answer 8

I just solved this problem, to help people who are in the same predicament as me, here is my solution on CentOS 7. (Maybe a little different from above answers).

I got the error message below when I tried to connect my server by VScode Remote SSH:

00be3d8293b0: start
SSH_AUTH_SOCK====
DISPLAY====
webUiAccessToken====
listeningOn==44128==
osReleaseId==centos==
arch==x86_64==
tmpDir==/run/user/10053==
platform==linux==
unpackResult==success==
didLocalDownload==0==
downloadTime==2533==
installTime==10009==
extInstallTime====
serverStartTime==556==
connectionToken==2256a5b5-f1c8-4290-8446-576967b6a8a0==
00be3d8293b0: end
channel 3: open failed: administratively prohibited: open failed
channel 3: open failed: administratively prohibited: open failed

After searching many blogs, I tried to edit /etc/ssh/sshd to ensure the following code appears in the file:

PermitOpen any
AllowTcpForwarding yes

I restarted the sshd to make sure the file change takes effect. But it didn't work for me.

systemctl restart sshd
(for me here is systemctl restart sshd.init)

Then I tried to find some error messages from journalctl -f, and I found that everytime I try to connect server by VScode, the following errors will appear (It happens when Vscode try to use wget):

sshd[14761]: error: connect to 127.0.0.1 port 44128 failed: Permission denied
sshd[14761]: error: connect to 127.0.0.1 port 44128 failed: Permission denied

Permission denied reminded me that it may be related to SELinux, so I changed the state of SELiunx:

> getenforce
  Enforcing
> setenforce 0 # Change from Enforcing to Permissive
> getenforce
  Permissive

Then miraculously, the problem was solved.

And to ensure SELinux will not take effect after reboot, I executed the following command:

> sed -i 's/enforcing$/disabled/g' /etc/selinux/config 
  # Auto close SELinux after reboot

Answer 9

When having root access to host

Ensure AllowTcpForwarding yes is set in the remote host's /etc/ssh/sshd_config file.

If you don't have root access to host

You can use a sshd run as a normal user with a different configuration, allowing vscode to create forwarded ports.

The goal is to have a user controled sshd server started with AllowTcpForwarding yes and then use ssh's ProxyCommand to connect to this server.

The steps to do this are:

1. Setup a sshd server (https://serverfault.com/a/946877):
   • Create working dir in home
   • generate server keys in the working dir
   • generate basic config file with pid file located in the working dir
   • launch SSH daemon
   • If you get errors about PAM, you can try with UsePAM no

mkdir ${HOME}/custom_ssh
ssh-keygen -f ${HOME}/custom_ssh/ssh_host_rsa_key -N '' -t rsa
ssh-keygen -f ${HOME}/custom_ssh/ssh_host_dsa_key -N '' -t dsa

cat << EOF > ${HOME}/custom_ssh/sshd_config
Port 2222
HostKey ${HOME}/custom_ssh/ssh_host_rsa_key
HostKey ${HOME}/custom_ssh/ssh_host_dsa_key
AuthorizedKeysFile  .ssh/authorized_keys
ChallengeResponseAuthentication no
PubkeyAuthentication yes
PasswordAuthentication yes
UsePAM yes
X11Forwarding yes
Subsystem   sftp    /usr/lib/ssh/sftp-server
PidFile ${HOME}/custom_ssh/sshd.pid"
EOF

/usr/bin/sshd -f ${HOME}/custom_ssh/sshd_config
echo "----- Process ID : ${HOME}/custom_ssh/sshd.pid -------"

2. On your client PC, configure a ssh host in ~/.ssh/config:

Host RemoteHost
    HostName 127.0.0.1
    Port 2222
    User user
    ForwardAgent yes
    ForwardX11 yes
    ProxyCommand ssh user@RemoteHostIp netcat %h %p

3. Use RemoteHost host in vscode

The resulting ssh path is like this:

interactive ssh <= stdio => ProxyCommand's ssh <= network => JumpHost's sshd <= stdio => netcat <= network => RemoteHost

See also: https://www.cyberciti.biz/faq/linux-unix-ssh-proxycommand-passing-through-one-host-gateway-server/