This error occurs when the SSH server (sshd) denies a channel opening request for port forwarding, tunneling, or subsystem operations. It means the server is configured to administratively prohibit the requested operation, even though the authentication succeeded.
When you attempt to use SSH features like local port forwarding (-L), remote port forwarding (-R), SFTP/SCP, or X11 forwarding, SSH must open a channel on the remote server to handle the operation. This error message indicates the SSH server has accepted your authentication but explicitly rejects the channel open request because it is administratively prohibited. This typically happens due to sshd configuration restrictions that limit which operations are allowed, which users can use certain features, or which specific ports/hosts can be accessed through forwarding.
First, verify that standard SSH connection works without forwarding:
ssh user@hostnameIf you can log in successfully, the issue is specifically with the requested channel operation (forwarding, tunneling, etc.), not the connection itself. This confirms it's a server-side configuration restriction.
Identify whether the error occurs with port forwarding, tunneling, SFTP, or X11. Each has different fixes:
Local port forwarding:
ssh -L 8080:localhost:80 user@hostname
# If this fails with 'administratively prohibited', AllowTcpForwarding is disabledRemote port forwarding:
ssh -R 8080:localhost:80 user@hostname
# Requires AllowTcpForwarding and GatewayPorts enabledSFTP:
sftp user@hostname
# Requires Subsystem sftp configured in sshd_configX11 forwarding:
ssh -X user@hostname
# Requires X11Forwarding enabledUse verbose mode to see exactly what is being denied:
ssh -vvv -L 8080:localhost:80 user@hostname 2>&1 | grep -A 2 'administratively'If you have root access to the SSH server, edit /etc/ssh/sshd_config:
sudo nano /etc/ssh/sshd_configFind or add this line:
AllowTcpForwarding yesIf the line starts with #, uncomment it. Then restart sshd:
On systemd systems:
sudo systemctl restart sshdOn older systems:
sudo service sshd restartFor remote port forwarding specifically, also ensure:
GatewayPorts yesThis allows other machines to connect to the forwarded port (otherwise only localhost can connect).
On the remote server, the SSH public key in authorized_keys may have restrictions. Check the key:
cat ~/.ssh/authorized_keys | grep -i "no-port"If you see directives like no-port-forwarding or no-pty, they block the operation. To remove them:
# Backup first
cp ~/.ssh/authorized_keys ~/.ssh/authorized_keys.bak
# Edit and remove no-port-forwarding, no-pty, restrict, etc.
nano ~/.ssh/authorized_keysThe key should start directly with ssh-rsa or ssh-ed25519 with no prefix directives.
If the server admin wants to allow port forwarding but only to specific destinations, they can use PermitOpen:
sudo nano /etc/ssh/sshd_configTo allow forwarding to specific ports:
PermitOpen anyOr restrict to specific hosts/ports:
PermitOpen localhost:3306
PermitOpen 192.168.1.5:5432Then restart sshd:
sudo systemctl restart sshdIf PermitOpen is set and you're being denied, ask the admin to either add your destination to the list or set PermitOpen to 'any'.
If you're connecting to a managed server (cloud provider, shared host, company infrastructure) and you don't have root access, contact the system administrator with this information:
1. Request: Enable AllowTcpForwarding in sshd_config for your user (or globally if acceptable)
2. Reason: "I need port forwarding for [your use case]"
3. Secure alternative: If full forwarding can't be enabled, ask if PermitOpen can be configured to allow only your specific target host/port
Example message to admin:
Hello, I need SSH port forwarding capability for my key (fingerprint: xxx).
The server is currently denying 'administratively prohibited' errors when I attempt
port forwarding. Could you please:
- Enable AllowTcpForwarding in /etc/ssh/sshd_config, or
- Add PermitOpen for the specific hosts/ports I need to access?ProxyJump and Jump Hosts: When using ProxyJump (-J flag), all intermediate SSH servers in the chain must have AllowTcpForwarding enabled, not just the final destination. If any intermediate server denies it, the whole connection fails.
Docker and Kubernetes SSH Containers: SSH inside containers may have minimal sshd_config. If you're connecting to a containerized SSH service, the container image might disable forwarding by default. You'll need to rebuild with the correct sshd_config or use a different networking approach.
Relative vs. Absolute Forwarding: The error number (0, 1, 2, etc.) indicates the channel number. Channel 0 is typically the first attempted operation. If you see multiple errors with different channel numbers, multiple operations are being attempted and all are denied.
SSH Subsystem Restrictions: For SFTP specifically, ensure the subsystem line exists in sshd_config: Subsystem sftp /usr/lib/openssh/sftp-server. The "administratively prohibited" error for SFTP might also indicate a missing subsystem definition.
SELinux and AppArmor: On hardened systems, SELinux policies or AppArmor profiles might enforce additional SSH restrictions beyond sshd_config. If enabling forwarding in config doesn't work, check: sudo getenforce (SELinux) or check AppArmor profiles in /etc/apparmor.d/
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH