Oh, yes, it's Hashicorp Vault. It's been a very long day. I enabled the "permit-port-forwardig" option in the ssh-client-signer role, and it did not help. Nico Kadel-Garcia Senior DevOps Engineer Cengage Learning 200 Pier Four Blvd. Boston, MA 02210 nico.kadel-garcia@xxxxxxxxxxx -----Original Message----- From: Rory Campbell-Lange <rory@xxxxxxxxxxxxxxxxxx> Sent: Friday, May 7, 2021 3:19 AM To: Kadel-Garcia, Nico <nico.kadel-garcia@xxxxxxxxxxx> Cc: openssh-unix-dev@xxxxxxxxxxx Subject: [EXTERNAL] Re: Signed SSH keys do not handle port forwarding correctly On 07/05/21, Kadel-Garcia, Nico (nico.kadel-garcia@xxxxxxxxxxx) wrote: > So far, so good. But let's say that host is also a tomcat server running unenrypted on port 8000, and I'd like to port-forward the loal service to my localhost. > > ssh -I .ssh/vault-signed-key -I .ssh/id_rsa -N -L localhost:8000:localhost:8000 username@10.0.0.10<mailto:username@10.0.0.10> & > lynx https://urldefense.com/v3/__http://localhost:8000__;!!MXVguWEtGgZw!bTWsMBiY0AdKNMvIVtO1-lAHr6ekG21bPt_HyMRhKlh1w1HKfs6drXhIMsTMe4dkR4DJ0pw$ Is the Atlassian Vault actually Hashicorp Vault? If so does the signed key have "permit-port-forwarding" enabled? i.e. $ vault write ssh-client-signer/roles/my-role -<<"EOH" { "allow_user_certificates": true, "allowed_users": "*", "allowed_extensions": "permit-pty,permit-port-forwarding", "default_extensions": [ { "permit-pty": "" } ], "key_type": "ca", "default_user": "ubuntu", "ttl": "30m0s" } EOH https://urldefense.com/v3/__https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates*signing-key-role-configuration__;Iw!!MXVguWEtGgZw!bTWsMBiY0AdKNMvIVtO1-lAHr6ekG21bPt_HyMRhKlh1w1HKfs6drXhIMsTMe4dkoFSUvPA$ Rory _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
