Signed SSH keys do not handle port forwarding correctly

Rory Campbell-Lange rory at
Fri May 7 17:18:39 AEST 2021

On 07/05/21, Kadel-Garcia, Nico (nico.kadel-garcia at wrote:
> So far, so good. But let's say that host is also a tomcat  server running unenrypted on port 8000, and I'd like to port-forward the loal service to my localhost.
>            ssh -I .ssh/vault-signed-key -I .ssh/id_rsa -N -L localhost:8000:localhost:8000 username at<mailto:username at> &
>            lynx http://localhost:8000

Is the Atlassian Vault actually Hashicorp Vault?

If so does the signed key have "permit-port-forwarding" enabled? i.e.

	$ vault write ssh-client-signer/roles/my-role -<<"EOH"
	  "allow_user_certificates": true,
	  "allowed_users": "*",
	  "allowed_extensions": "permit-pty,permit-port-forwarding",
	  "default_extensions": [
		  "permit-pty": ""
	  "key_type": "ca",
	  "default_user": "ubuntu",
	  "ttl": "30m0s"


More information about the openssh-unix-dev mailing list