Pritunl zero bastion host

vinzBravo · January 29, 2026, 4:49pm

Hello

We have issue to connect to server that are not using the 22 port .
On this kind of server we got this error :
channel 0: open failed: administratively prohibited: open failed stdio forwarding failed

all other server running on 22 are connectable.

Actually the bastion host docker and run this config :

Match User bastion
AllowAgentForwarding no
AllowTcpForwarding yes
PermitOpen *:22
GatewayPorts no
X11Forwarding no
PermitTunnel no
ForceCommand echo ‘Pritunl Zero Bastion Host’
TrustedUserCAKeys /ssh/trusted
AuthorizedPrincipalsFile /ssh/principals
Match all

I presume we can not target a server that is not listening on port 22 ?
because of the value :

PermitOpen *:22

If yes, is there a way to modify it ?

vinzBravo · January 30, 2026, 9:49am

I try the change on the docker image and its work
i modify to
PermitOpen *:22 *:22222
and its work
Any better method than modify the container ?

Also , how the container is started ? (if i want to modify the image path)

zach · January 30, 2026, 2:17pm

The image can be changed by running the command below.

sudo pritunl-zero set system bastion_docker_image '"docker.io/pritunl/pritunl-bastion"'

vinzBravo · January 30, 2026, 2:24pm

Ok thanks its what we are looking for

vinzBravo · January 30, 2026, 2:36pm

For my knowledge @zach
where this settings is set ? in mongo ?

zach · January 30, 2026, 4:07pm

That command can be run on the server and it will update the database with the option.

vinzBravo · January 30, 2026, 6:07pm

Ok so it will reflect on all bastion servers ?

zach · January 31, 2026, 5:14am

Yes that is stored in the database and will update all Pritunl Zero hosts.

vinzBravo · February 9, 2026, 9:38am

Hello @zach
I change the image name by the command. Its look working but i get this in the log now :

arg: [“pull”,“pritunl-bastion-v1.0”]

cmd: “docker”

output: “Using default tag: latest\nError response from daemon: pull access denied for pritunl-bastion-v1.0, repository does not exist or may require ‘docker login’\n”

sync: Failed to init bastion host

On stack trace :

utils: Failed to exec ‘docker’
exit status 1
ORIGINAL STACK TRACE:

/go/src/github.com/pritunl/pritunl-zero/utils/proc.go:338 +0xbe73b8
/go/src/github.com/pritunl/pritunl-zero/sync/bastion.go:28 +0x162dd66
/go/src/github.com/pritunl/pritunl-zero/sync/bastion.go:129 +0x162f058
runtime.goexit
/usr/local/go/src/runtime/asm_amd64.s:1693 +0x486420

zach · February 9, 2026, 4:59pm

Run sudo docker pull pritunl-bastion-v1.0 and verify the image is available to the root user.

vinzBravo · February 9, 2026, 11:00pm

Its fine now.
Thanks for the help