[EXTERNAL] Re: Signed SSH keys do not handle port forwarding correctly

Brian Candler b.candler at pobox.com
Fri May 7 17:51:16 AEST 2021

On 07/05/2021 08:27, Rory Campbell-Lange wrote:
> On 07/05/21, Kadel-Garcia, Nico (nico.kadel-garcia at cengage.com) wrote:
>> Oh, yes, it's Hashicorp Vault. It's been a very long day.
>> I enabled the "permit-port-forwardig" option in the ssh-client-signer role, and it did not help.
> You may want to set the receiving sshd LogLevel to VERBOSE to help find out what the problem is.

Also, inspect the certificate with ssh-keygen -Lf <file>, just to be 
sure the desired extension is in there. e.g.

$ ssh-keygen -Lf test.cert
         Type: ssh-rsa-cert-v01 at openssh.com user certificate
         Public key: RSA-CERT SHA256:mVV81....
         Signing CA: RSA SHA256:nqMqs.... (using rsa-sha2-256)
         Key ID: "vault-root-99557c...."
         Serial: 10087169145372651617
         Valid: from 2021-02-22T14:47:42 to 2021-02-23T02:48:12
         Critical Options: (none)
*        Extensions:**
**                permit-pty*

Note that if you put permit-port-forwarding in "allowed_extensions" 
and/or "default_extensions" in the signing role, but the client 
specifically requests a set of extensions that doesn't include 
permit-port-forwarding, then the certificate won't include it.

More information about the openssh-unix-dev mailing list