[EXTERNAL] Re: Signed SSH keys do not handle port forwarding correctly
Kadel-Garcia, Nico
nico.kadel-garcia at cengage.com
Fri May 7 17:21:40 AEST 2021
Oh, yes, it's Hashicorp Vault. It's been a very long day.
I enabled the "permit-port-forwardig" option in the ssh-client-signer role, and it did not help.
Nico Kadel-Garcia
Senior DevOps Engineer
Cengage Learning
200 Pier Four Blvd.
Boston, MA 02210
nico.kadel-garcia at cengage.com
-----Original Message-----
From: Rory Campbell-Lange <rory at campbell-lange.net>
Sent: Friday, May 7, 2021 3:19 AM
To: Kadel-Garcia, Nico <nico.kadel-garcia at cengage.com>
Cc: openssh-unix-dev at mindrot.org
Subject: [EXTERNAL] Re: Signed SSH keys do not handle port forwarding correctly
On 07/05/21, Kadel-Garcia, Nico (nico.kadel-garcia at cengage.com) wrote:
> So far, so good. But let's say that host is also a tomcat server running unenrypted on port 8000, and I'd like to port-forward the loal service to my localhost.
>
> ssh -I .ssh/vault-signed-key -I .ssh/id_rsa -N -L localhost:8000:localhost:8000 username at 10.0.0.10<mailto:username at 10.0.0.10> &
> lynx https://urldefense.com/v3/__http://localhost:8000__;!!MXVguWEtGgZw!bTWsMBiY0AdKNMvIVtO1-lAHr6ekG21bPt_HyMRhKlh1w1HKfs6drXhIMsTMe4dkR4DJ0pw$
Is the Atlassian Vault actually Hashicorp Vault?
If so does the signed key have "permit-port-forwarding" enabled? i.e.
$ vault write ssh-client-signer/roles/my-role -<<"EOH"
{
"allow_user_certificates": true,
"allowed_users": "*",
"allowed_extensions": "permit-pty,permit-port-forwarding",
"default_extensions": [
{
"permit-pty": ""
}
],
"key_type": "ca",
"default_user": "ubuntu",
"ttl": "30m0s"
}
EOH
https://urldefense.com/v3/__https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates*signing-key-role-configuration__;Iw!!MXVguWEtGgZw!bTWsMBiY0AdKNMvIVtO1-lAHr6ekG21bPt_HyMRhKlh1w1HKfs6drXhIMsTMe4dkoFSUvPA$
Rory
More information about the openssh-unix-dev
mailing list