bugzilla-daemon at bugzilla.mindrot.org
2019-Nov-18 18:19 UTC
[Bug 3095] New: SSH CA-signed key fails when port forwarding
https://bugzilla.mindrot.org/show_bug.cgi?id=3095
Bug ID: 3095
Summary: SSH CA-signed key fails when port forwarding
Product: Portable OpenSSH
Version: 7.4p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: krubot.ops at gmail.com
I'm setting up some servers for a new system and decided to do things a
little bit differently. I'm running into an issue that I just can't
seem to get past though. My desired configuration is having one bastion
server and N other servers that can be accessed via the bastion only?a
pretty typical configuration.
The difference from what I normally do is that I would like to use
signed SSH keys for authentication. This is pretty straight-forward for
a single server but is throwing a wrench when using a bastion.
Right now, I have two identically configured servers. I can access them
both directly using a signed SSH key. However, if I try to use one as a
bastion/jump host, I can't connect to the other. My ~/.ssh/config looks
like this:
Host ssh.uswe2
HostName ssh.uswe2.example.com
User ec2-user
IdentityFile ~/.ssh/ssh-rsa-cert
Host *.uswe2 !ssh.uswe2
HostName %h.example.com
User ec2-user
ProxyCommand ssh -W %h:%p ssh.uswe2.example.com
IdentityFile ~/.ssh/ssh-rsa-cert
With this configuration, I can sign in to the bastion with ssh
ssh.uswe2, but when I try to connect to the other server with ssh
server2.uswe2 I get the following error:
channel 0: open failed: administratively prohibited: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
I can still connect directly to the server with ssh
server2.uswe2.example.com over the public network though so I know that
the CA and cert are being loaded correctly.
My next thought was that maybe it was something to do with how the
bastion is configured, but if I add my public key to
~/.ssh/authorized_keys on both servers, I can connect without any
issue.
I've reduced this down to a single command that is now showing issues:
ssh -i /Users/bec23/.ssh/id_rsa-cert.pub -i /Users/bec23/.ssh/id_rsa -W
127.0.0.1:8080 disco-core at ssh.uswe2
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Dec-29 00:57 UTC
[Bug 3095] SSH CA-signed key fails when port forwarding
https://bugzilla.mindrot.org/show_bug.cgi?id=3095
egberts at yahoo.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |egberts at yahoo.com
--- Comment #1 from egberts at yahoo.com ---
I was just thinking of doing that too.
Can you try with your sshd using '-d -D -o LogLevel DEBUG3' or '-d
-D
-E /tmp/sshd-bastion-troubleshooting.log' options?
Have you tried to add the two CLI options, '-t -T' before your affected
command line arguments? It should reveal something additional
regarding the 'Match' (with DEBUG3).
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Jan-25 05:35 UTC
[Bug 3095] SSH CA-signed key fails when port forwarding
https://bugzilla.mindrot.org/show_bug.cgi?id=3095
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Could you please attach debug traces (i.e. the output of "sshd -ddd")
from the server that is failing authentication and the contents of the
certificate in question (via "ssh-keygen -Lf /path/cert")
It's unfortunately not possible to debug this further with the
information provided.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Jul-17 03:41 UTC
[Bug 3095] SSH CA-signed key fails when port forwarding
https://bugzilla.mindrot.org/show_bug.cgi?id=3095
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |WORKSFORME
--- Comment #3 from Damien Miller <djm at mindrot.org> ---
closing bug: six months with no followup
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:52 UTC
[Bug 3095] SSH CA-signed key fails when port forwarding
https://bugzilla.mindrot.org/show_bug.cgi?id=3095
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #4 from Damien Miller <djm at mindrot.org> ---
close bugs that were resolved in OpenSSH 8.5 release cycle
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
Apparently Analagous Threads
- [Bug 3777] New: error: kex_exchange_identification: Connection closed by remote host
- Significance of port 655?
- [Bug 2817] New: Add support for PKCS#11 URIs (RFC 7512)
- [Bug 3582] New: Confusing error message when using ProxyJump
- [Bug 3610] New: Using ControlPath and the -J option