[SOLVED] SSH AllowTcpForwarding set to no automatically?

D

delmo

New Member
Proxmox Subscriber
Aug 12, 2025
8
0
1
Hi all,
after a network uplink failure, i recognized in the syslog that the Postgres DB sync (pmgmirror/pmgtunnel) did not work anymore. A lot of research later it turned out that AllowTcpForwarding was set to no in the sshd_config. Now i try to find out if that was a coincident with eg. our ansible or if there is some kind of protection which did that. Can the PMG set AllowTcpForwarding to no by itself? Eg in some error cases.

Best regards Delmo
 
Last edited:
Hi, PMG doesn't touch sshd_config by itself. In this case I suspect 2 possible ways it could have happened:

  • Ansible hardening role — Roles like dev-sec.ssh-hardening (or similar CIS/STIG-based hardening playbooks) explicitly set AllowTcpForwarding no as a security best practice. If your Ansible runs touched the SSH config around the time of the failure, this is almost certainly the cause. Check your Ansible run logs/history for that time window.
  • apt dist-upgrade / package upgrade — During a PMG major upgrade (e.g., 7 → 8), apt will ask whether to keep your version or install the package maintainer's version of /etc/ssh/sshd_config. Proxmox Mail Gateway If someone chose "install the maintainer's version" and the new Debian openssh-server default included AllowTcpForwarding no, that could explain it.
 
You must log in or register to reply here.
Top Bottom
Back