SSH Session Source IP Address?

[RepotSirc]

So I have this setup

PC [192.168.0.0/24] --- jumphost [10.10.10.0/24] --- router [10.20.30.0/24]

In summary Iam able to successfully connect to the jumphost but when I connect to the router I am getting Administratively prohibited error. The router is configured to only allow ssh connection from the jumphost ip subnet which is 10.10.10.0/24 and everything else is denied. Now I am getting denied access to the router, is it possible that the source ip of ssh connection towards the router is the 192.168.0.0/24 (PC) instead of the jumphost subnet (10.10.10.0/24)?

Below is my code

import paramiko
from getpass import getpass
from paramiko_jump import SSHJumpClient, MultiFactorAuthHandler

jumphost = input ("Bastion Server host/ip : ")
bastion_username = input ("Bastion Username: ")
bastion_password = getpass ("Bastion Password : ")
passcode = getpass ("RSA Passcode : ")

handler = MultiFactorAuthHandler()
handler.add(bastion_password)
handler.add(passcode)

with SSHJumpClient(auth_handler = handler) as jumper:
    jumper.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    jumper.connect(
        hostname = jumphost,
        username = bastion_username,
        look_for_keys = False,)

    stdin, stdout, stderr = jumper.exec_command('uptime')
    output = stdout.readlines()
    print ("Successfully authenticated with the",jumphost, "server!")
    print(output)

    node = input ("Enter Router hostname/ip : ")
    node_username = input("Node Username : ")
    node_password = getpass ("Enter Node Password : ")

    with SSHJumpClient(jump_session = jumper) as target:
        target.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        target.connect(
            hostname = node,
            username = node_username,
            password = node_password,
            look_for_keys = False,
            allow_agent = False,)

        terminal = target.invoke_shell()
        terminal.send("show chassis\n")

Output

Bastion Server host/ip :  sample.local
Bastion Username:  domain\username
Bastion Password :  ········
RSA Passcode :  ········
Successfully authenticated with the sample.local server!
[' 15:25:34 up 26 days, 20:17, 143 users,  load average: 0.08, 0.21, 0.27\n']
Enter Router hostname/ip :  sample.local
Node Username :  username
Enter Node Password :  ········

Error

Secsh channel 1 open FAILED: open failed: Administratively prohibited
---------------------------------------------------------------------------
ChannelException                          Traceback (most recent call last)
Cell In[3], line 28
     26 with SSHJumpClient(jump_session=jumper) as target:
     27     target.set_missing_host_key_policy(paramiko.AutoAddPolicy())
---> 28     target.connect(
     29         hostname = node,
     30         username = node_username,
     31         password = node_password,
     32         look_for_keys = False,
     33         allow_agent = False,)
     35     terminal = target.invoke_shell()
     36     terminal.send("show chassis\n")

File ~\OneDrive\root\Documents\002_vdi_env\vdi\Lib\site-packages\paramiko_jump\client.py:133, in SSHJumpClient.connect(self, hostname, port, username, password, pkey, key_filename, timeout, allow_agent, look_for_keys, compress, sock, gss_auth, gss_kex, gss_deleg_creds, gss_host, banner_timeout, auth_timeout, channel_timeout, gss_trust_dns, passphrase, disabled_algorithms, transport_factory, auth_strategy)
    130         raise ValueError('jump_session= and sock= are mutually '
    131                          'exclusive')
    132     transport = self._jump_session._transport
--> 133     sock = transport.open_channel(
    134         kind='direct-tcpip',
    135         dest_addr=(hostname, port),
    136         src_addr=transport.getpeername(),
    137         timeout=timeout,
    138     )
    140 return super().connect(
    141     hostname=hostname,
    142     port=port,
   (...)
    162     auth_strategy=auth_strategy,
    163 )

File ~\OneDrive\root\Documents\002_vdi_env\vdi\Lib\site-packages\paramiko\transport.py:1115, in Transport.open_channel(self, kind, dest_addr, src_addr, window_size, max_packet_size, timeout)
   1113 if e is None:
   1114     e = SSHException("Unable to open channel.")
-> 1115 raise e

ChannelException: ChannelException(1, 'Administratively prohibited')

[andrewschenck]

Your jump session will have a source IP that belongs to the jump host, but there are other possible causes of this error besides just the firewall. It's very likely that your ssh server on the jump host is configured to disable forwarding. Check your SSHD server config on the jump host for parameters related to forwarding:

AllowTcpForwarding PermitOpen

Depending on which SSH implementation you're using, these might vary a bit.

[RepotSirc]

@andrewschenck, you are right TCP forwarding is not permitted just got confirmation from our system admins