Good evening: Some of you may remember me, I did my first SSH ports in the 1990's. I'm writing from my work account for questions I'm encountering at work. I'm working with SSH client signatures, with an Atlassian Vault setup, where Atlassian I'm working with with CentOS 7 hosts with openssh-7.4p1. Atlassian Vault provides me a private key signature with their ssh-client-signer tool to access a remote host. This works well. ssh -I .ssh/vault-signed-key -I .ssh/id_rsa username@10.0.0.10 So far, so good. But let's say that host is also a tomcat server running unenrypted on port 8000, and I'd like to port-forward the loal service to my localhost. ssh -I .ssh/vault-signed-key -I .ssh/id_rsa -N -L localhost:8000:localhost:8000 username@10.0.0.10<mailto:username@10.0.0.10> & lynx http://localhost:8000 The port forwarding does not work. If I copy over my personal public key to ~username/.ssh/authorized_keys on 10.0.0.10, then port forwarding works either of these two ways. ssh -I .ssh/vault-signed-key -I .ssh/id_rsa -N -L localhost:8001:localhost:8000 username@10.0.0.10<mailto:username@10.0.0.10> & lynx http://localhost:8001 ssh -I .ssh/id_rsa -N -L localhost:8002:localhost:800 username@10.0.0.10<mailto:username@10.0.0.10> & lynx http://localhost:8012 It seems that relying on the signature for the personal SSH keys disables the use of port forwarding. Is this expected? Because I'm not easily finding good documentation for the loss of this feature. And I'd like to be able to port-forward remote services without exposing them directly to my local network. Nico Kadel-Garcia Senior DevOps Engineer Cengage Learning 200 Pier Four Blvd. Boston, MA 02210 nico.kadel-garcia@xxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev