Rory Campbell-Lange
2021-May-07 07:27 UTC
[EXTERNAL] Re: Signed SSH keys do not handle port forwarding correctly
On 07/05/21, Kadel-Garcia, Nico (nico.kadel-garcia at cengage.com) wrote:> Oh, yes, it's Hashicorp Vault. It's been a very long day. > > I enabled the "permit-port-forwardig" option in the ssh-client-signer role, and it did not help.You may want to set the receiving sshd LogLevel to VERBOSE to help find out what the problem is. Rory
Kadel-Garcia, Nico
2021-May-07 07:31 UTC
[EXTERNAL] Re: Signed SSH keys do not handle port forwarding correctly
Fair enough. That's a step for tomorrow. I wasn't sure if *anyone* had tried this. Nico Kadel-Garcia Senior DevOps Engineer Cengage Learning 200 Pier Four Blvd. Boston, MA 02210 nico.kadel-garcia at cengage.com -----Original Message----- From: Rory Campbell-Lange <rory at campbell-lange.net> Sent: Friday, May 7, 2021 3:27 AM To: Kadel-Garcia, Nico <nico.kadel-garcia at cengage.com> Cc: openssh-unix-dev at mindrot.org Subject: Re: [EXTERNAL] Re: Signed SSH keys do not handle port forwarding correctly On 07/05/21, Kadel-Garcia, Nico (nico.kadel-garcia at cengage.com) wrote:> Oh, yes, it's Hashicorp Vault. It's been a very long day. > > I enabled the "permit-port-forwardig" option in the ssh-client-signer role, and it did not help.You may want to set the receiving sshd LogLevel to VERBOSE to help find out what the problem is. Rory
Brian Candler
2021-May-07 07:51 UTC
[EXTERNAL] Re: Signed SSH keys do not handle port forwarding correctly
On 07/05/2021 08:27, Rory Campbell-Lange wrote:> On 07/05/21, Kadel-Garcia, Nico (nico.kadel-garcia at cengage.com) wrote: >> Oh, yes, it's Hashicorp Vault. It's been a very long day. >> >> I enabled the "permit-port-forwardig" option in the ssh-client-signer role, and it did not help. > You may want to set the receiving sshd LogLevel to VERBOSE to help find out what the problem is.Also, inspect the certificate with ssh-keygen -Lf <file>, just to be sure the desired extension is in there. e.g. $ ssh-keygen -Lf test.cert test.cert: ??????? Type: ssh-rsa-cert-v01 at openssh.com user certificate ??????? Public key: RSA-CERT SHA256:mVV81.... ??????? Signing CA: RSA SHA256:nqMqs.... (using rsa-sha2-256) ??????? Key ID: "vault-root-99557c...." ??????? Serial: 10087169145372651617 ??????? Valid: from 2021-02-22T14:47:42 to 2021-02-23T02:48:12 ??????? Principals: ??????????????? test ??????? Critical Options: (none) *??????? Extensions:** **??????????????? permit-pty* Note that if you put permit-port-forwarding in "allowed_extensions" and/or "default_extensions" in the signing role, but the client specifically requests a set of extensions that doesn't include permit-port-forwarding, then the certificate won't include it.