Error "Administratively prohibited" with Native Clients and Extenders
Symptoms
Native-client connections via PrivX Extender fail with Error "Administratively prohibited"
Causes and Solutions
This section describes the possible causes and solutions of the symptom.
-
PrivX Configuration
Your PrivX deployment may not be configured for proxying native-client connections. Verify your PrivX settings and adjust as necessary:- In the Extender configuration (/opt/privx/etc/extender-config.toml on your PrivX Extenders),
privx_ssh_proxy_enabled = true
- In the Authorizer configuration (/opt/privx/etc/authorizer.toml on PrivX servers), the setting
ssh_default_extensions
includes thekeywords permit-port-forwarding
andpermit-X11-forwarding
- In the SSH-proxy configuration (
/opt/privx/etc/ssh-proxy.toml
on PrivX servers),forwarder_enabled = true
- If connecting to loopback addresses (localhost, 127.0.01, ::1),
allow_connect_to_loopback = true
andallow_connect_to_local_addresses = true
in the SSH-proxy configuration. - If connecting to local FQDN or IP (PrivxX front-end FQDNs and/or IPs) then only the
allow_connect_to_local_address
must be set totrue
. - If connecting to other addresses, make sure the target address is not listed in the
target_blacklist
setting in SSH-proxy configurations. - The target-host IP address must belong in the allowed Subnets of the Extender. These can be verified on the PrivX GUI→Administration→Deployment→Deploy VPC/VPN extenders page, under the Extender configuration.
- Session recording is disabled on the target host. You can check this in the host settings, on the PrivX GUI→Administration→Hosts page.
- In the Extender configuration (/opt/privx/etc/extender-config.toml on your PrivX Extenders),
-
Other Causes
Also ensure the following:- The ssh-proxy can establish connections to connection manager.
- Your PrivX license is valid.
Updated over 2 years ago