openssh unix dev - May 2021 - Signed SSH keys do not handle port forwarding correctly

Good evening:

Some of you may remember me, I did my first SSH ports in the 1990's. I'm
writing from my work account for questions I'm encountering at work. I'm
working with SSH client signatures, with an Atlassian Vault setup, where
Atlassian I'm working with with CentOS 7 hosts with openssh-7.4p1. 
Atlassian Vault provides me a private key signature with their ssh-client-signer
tool to access a remote host. This works well.

          ssh -I .ssh/vault-signed-key -I .ssh/id_rsa username at 10.0.0.10

So far, so good. But let's say that host is also a tomcat  server running
unenrypted on port 8000, and I'd like to port-forward the loal service to my
localhost.

           ssh -I .ssh/vault-signed-key -I .ssh/id_rsa -N -L
localhost:8000:localhost:8000 username at 10.0.0.10<mailto:username at
10.0.0.10> &
           lynx http://localhost:8000

The port forwarding does not work. If I copy over my personal public key to
~username/.ssh/authorized_keys on 10.0.0.10, then port forwarding works either
of these two ways.

           ssh -I .ssh/vault-signed-key -I .ssh/id_rsa -N -L
localhost:8001:localhost:8000 username at 10.0.0.10<mailto:username at
10.0.0.10> &
           lynx http://localhost:8001

           ssh -I .ssh/id_rsa -N -L localhost:8002:localhost:800 username at
10.0.0.10<mailto:username at 10.0.0.10> &
           lynx http://localhost:8012

It seems that relying on the signature for the personal SSH keys disables the
use of port forwarding. Is this expected? Because I'm not easily finding
good documentation for the loss of this feature. And I'd like to be able to
port-forward remote services without exposing them directly to my local network.

Nico Kadel-Garcia
Senior DevOps Engineer
Cengage Learning
200 Pier Four Blvd.
Boston, MA 02210
nico.kadel-garcia at cengage.com

On 07/05/21, Kadel-Garcia, Nico (nico.kadel-garcia at cengage.com)
wrote:
> So far, so good. But let's say that host is also a tomcat  server
running unenrypted on port 8000, and I'd like to port-forward the loal
service to my localhost.
> 
>            ssh -I .ssh/vault-signed-key -I .ssh/id_rsa -N -L
localhost:8000:localhost:8000 username at 10.0.0.10<mailto:username at
10.0.0.10> &
>            lynx http://localhost:8000
Is the Atlassian Vault actually Hashicorp Vault?

If so does the signed key have "permit-port-forwarding" enabled? i.e.

	$ vault write ssh-client-signer/roles/my-role -<<"EOH"
	{
	  "allow_user_certificates": true,
	  "allowed_users": "*",
	  "allowed_extensions":
"permit-pty,permit-port-forwarding",
	  "default_extensions": [
		{
		  "permit-pty": ""
		}
	  ],
	  "key_type": "ca",
	  "default_user": "ubuntu",
	  "ttl": "30m0s"
	}
	EOH

https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates#signing-key-role-configuration

Rory