[Bug 3095] New: SSH CA-signed key fails when port forwarding
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Nov 19 05:19:59 AEDT 2019
https://bugzilla.mindrot.org/show_bug.cgi?id=3095
Bug ID: 3095
Summary: SSH CA-signed key fails when port forwarding
Product: Portable OpenSSH
Version: 7.4p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: krubot.ops at gmail.com
I'm setting up some servers for a new system and decided to do things a
little bit differently. I'm running into an issue that I just can't
seem to get past though. My desired configuration is having one bastion
server and N other servers that can be accessed via the bastion only—a
pretty typical configuration.
The difference from what I normally do is that I would like to use
signed SSH keys for authentication. This is pretty straight-forward for
a single server but is throwing a wrench when using a bastion.
Right now, I have two identically configured servers. I can access them
both directly using a signed SSH key. However, if I try to use one as a
bastion/jump host, I can't connect to the other. My ~/.ssh/config looks
like this:
Host ssh.uswe2
HostName ssh.uswe2.example.com
User ec2-user
IdentityFile ~/.ssh/ssh-rsa-cert
Host *.uswe2 !ssh.uswe2
HostName %h.example.com
User ec2-user
ProxyCommand ssh -W %h:%p ssh.uswe2.example.com
IdentityFile ~/.ssh/ssh-rsa-cert
With this configuration, I can sign in to the bastion with ssh
ssh.uswe2, but when I try to connect to the other server with ssh
server2.uswe2 I get the following error:
channel 0: open failed: administratively prohibited: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
I can still connect directly to the server with ssh
server2.uswe2.example.com over the public network though so I know that
the CA and cert are being loaded correctly.
My next thought was that maybe it was something to do with how the
bastion is configured, but if I add my public key to
~/.ssh/authorized_keys on both servers, I can connect without any
issue.
I've reduced this down to a single command that is now showing issues:
ssh -i /Users/bec23/.ssh/id_rsa-cert.pub -i /Users/bec23/.ssh/id_rsa -W
127.0.0.1:8080 disco-core at ssh.uswe2
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list