[EXTERNAL] Re: Signed SSH keys do not handle port forwarding correctly
b.candler at pobox.com
Fri May 7 17:51:16 AEST 2021
On 07/05/2021 08:27, Rory Campbell-Lange wrote:
> On 07/05/21, Kadel-Garcia, Nico (nico.kadel-garcia at cengage.com) wrote:
>> Oh, yes, it's Hashicorp Vault. It's been a very long day.
>> I enabled the "permit-port-forwardig" option in the ssh-client-signer role, and it did not help.
> You may want to set the receiving sshd LogLevel to VERBOSE to help find out what the problem is.
Also, inspect the certificate with ssh-keygen -Lf <file>, just to be
sure the desired extension is in there. e.g.
$ ssh-keygen -Lf test.cert
Type: ssh-rsa-cert-v01 at openssh.com user certificate
Public key: RSA-CERT SHA256:mVV81....
Signing CA: RSA SHA256:nqMqs.... (using rsa-sha2-256)
Key ID: "vault-root-99557c...."
Valid: from 2021-02-22T14:47:42 to 2021-02-23T02:48:12
Critical Options: (none)
Note that if you put permit-port-forwarding in "allowed_extensions"
and/or "default_extensions" in the signing role, but the client
specifically requests a set of extensions that doesn't include
permit-port-forwarding, then the certificate won't include it.
More information about the openssh-unix-dev