On 07/05/2021 08:27, Rory Campbell-Lange wrote:
On 07/05/21, Kadel-Garcia, Nico (nico.kadel-garcia@xxxxxxxxxxx) wrote:
Oh, yes, it's Hashicorp Vault. It's been a very long day.
I enabled the "permit-port-forwardig" option in the ssh-client-signer role, and it did not help.
You may want to set the receiving sshd LogLevel to VERBOSE to help find out what the problem is.
Also, inspect the certificate with ssh-keygen -Lf <file>, just to be
sure the desired extension is in there. e.g.
$ ssh-keygen -Lf test.cert
test.cert:
Type: ssh-rsa-cert-v01@xxxxxxxxxxx user certificate
Public key: RSA-CERT SHA256:mVV81....
Signing CA: RSA SHA256:nqMqs.... (using rsa-sha2-256)
Key ID: "vault-root-99557c...."
Serial: 10087169145372651617
Valid: from 2021-02-22T14:47:42 to 2021-02-23T02:48:12
Principals:
test
Critical Options: (none)
* Extensions:**
** permit-pty*
Note that if you put permit-port-forwarding in "allowed_extensions"
and/or "default_extensions" in the signing role, but the client
specifically requests a set of extensions that doesn't include
permit-port-forwarding, then the certificate won't include it.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
