Introduction:
When connecting to targets using VS Code Remote-SSH through Boundary, you may encounter the following error:
Failed to set up socket for dynamic port forward to remote port <dynamic-port>: Socket closed. TCP port forwarding may be disabled, or the remote server may have crashed.
This article walks through the steps to diagnose and resolve this issue.
Troubleshooting Steps:
1. SSHD Configuration on the Target Host
Check the SSH daemon configuration file:
/etc/ssh/sshd_configEnsure the following settings are enabled:
AllowTcpForwarding yes
If you are using a Match User or Match Group block, confirm that TCP forwarding is also enabled there:
Match User <user> or Match Group <group>
AllowTcpForwarding yes
Additionally, verify:
GatewayPorts yes
PermitOpen any
Note: Restrictive PermitOpen values can block port forwarding.
2. Authorized Keys Configuration
On the target host, check the following file:
~/.ssh/authorized_keys
Locate the SSH key being used and confirm it does not restrict port forwarding.
For example, a restrictive entry like the following can cause this error:
permitopen="127.0.0.1:22"
If present, update or remove the restriction as appropriate.
3. Vault Configuration
In setups where Vault SSH CA is used with the SSH secrets engine, the Vault role and issued certificates must include additional SSH certificate extensions to support TCP port forwarding.
Ensure the role configuration includes the following extensions:
allowed_extensions permit-pty,permit-port-forwarding,permit-agent-forwarding,permit-X11-forwarding
default_extensions map[permit-X11-forwarding: permit-agent-forwarding: permit-port-forwarding: permit-pty:]
If these extensions are missing, SSH clients such as VS Code Remote-SSH connecting through Boundary will fail when attempting to establish dynamic port forwarding.
References