SSH channel open requests are rejected due to server-side policy restrictions. This commonly occurs when port forwarding is disabled in sshd_config or when tunneling operations are restricted for security reasons.
This error means the SSH server (sshd) has explicitly denied your request to open a new channel. SSH uses channels for various operations including port forwarding (LocalForward, RemoteForward), subsystem requests, and shell sessions. When the server responds with 'administratively prohibited', it indicates that sshd_config has been configured to explicitly block this type of channel operation for security reasons. The error is intentional and enforced at the daemon level, not a temporary network issue.
Connect to the SSH server and inspect the current sshd_config settings:
sudo grep -E 'AllowTcpForwarding|PermitTunnel|DisableForwarding' /etc/ssh/sshd_configIf these lines are absent, the defaults apply (which may be 'no' on hardened systems). Note the current values before making changes.
Edit /etc/ssh/sshd_config and add or modify the AllowTcpForwarding setting:
sudo nano /etc/ssh/sshd_configFind or add this line:
AllowTcpForwarding yesThis enables both local (-L) and remote (-R) port forwarding. Save and exit (Ctrl+X, then Y, then Enter in nano).
If you need tun/tap device tunneling (not just port forwarding), also add:
PermitTunnel yesThis enables VPN-style connections using device forwarding. If you only need port forwarding, this is optional.
Inspect the file for Match blocks that might override global settings:
sudo grep -n 'Match' /etc/ssh/sshd_configLook for blocks like:
Match User someuser
DisableForwarding yesIf Match blocks disable forwarding for your user, either remove those lines or add your user/group to a block that allows forwarding.
Apply the configuration changes by restarting sshd:
sudo systemctl restart sshdOn BSD systems, use:
sudo service sshd restartOr on older systems:
sudo /etc/init.d/sshd restartVerify the fix by attempting a port forward operation:
ssh -v -L 9999:127.0.0.1:3306 user@remotehostThe -v flag adds verbose output. You should see successful channel open messages instead of 'administratively prohibited'. For tunnels, leave the connection open and test from another terminal.
In corporate or hardened environments (cloud instances, containers), administrators may intentionally disable forwarding for security. If you cannot modify sshd_config, work with your system administrator to request the appropriate relaxed permissions. Some organizations allow forwarding only from specific IP ranges or for specific users via Match blocks. When SSH fails with 'administratively prohibited', server-side logs (typically /var/log/auth.log or /var/log/secure) show the exact policy that rejected the request, which can help diagnose Match block issues. Be aware that AllowTcpForwarding affects both local and remote forwarding equally—you cannot enable one without the other. If you need fine-grained control, use PermitOpen directives to restrict forwarding to specific hosts/ports. Some tools like VS Code Remote SSH may require additional troubleshooting: killing existing vscode processes or restarting the server may be necessary if sshd cached the old configuration.
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH