Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
Signed SSH keys do not handle port forwarding correctly
nico.kadel-garcia at cengage
May 6, 2021, 9:07 PM
Post #1 of 6 (638 views)
Permalink
Good evening:

Some of you may remember me, I did my first SSH ports in the 1990's. I'm writing from my work account for questions I'm encountering at work. I'm working with SSH client signatures, with an Atlassian Vault setup, where Atlassian I'm working with with CentOS 7 hosts with openssh-7.4p1. Atlassian Vault provides me a private key signature with their ssh-client-signer tool to access a remote host. This works well.

ssh -I .ssh/vault-signed-key -I .ssh/id_rsa username@10.0.0.10

So far, so good. But let's say that host is also a tomcat server running unenrypted on port 8000, and I'd like to port-forward the loal service to my localhost.

ssh -I .ssh/vault-signed-key -I .ssh/id_rsa -N -L localhost:8000:localhost:8000 username@10.0.0.10<mailto:username@10.0.0.10> &
lynx http://localhost:8000

The port forwarding does not work. If I copy over my personal public key to ~username/.ssh/authorized_keys on 10.0.0.10, then port forwarding works either of these two ways.

ssh -I .ssh/vault-signed-key -I .ssh/id_rsa -N -L localhost:8001:localhost:8000 username@10.0.0.10<mailto:username@10.0.0.10> &
lynx http://localhost:8001

ssh -I .ssh/id_rsa -N -L localhost:8002:localhost:800 username@10.0.0.10<mailto:username@10.0.0.10> &
lynx http://localhost:8012

It seems that relying on the signature for the personal SSH keys disables the use of port forwarding. Is this expected? Because I'm not easily finding good documentation for the loss of this feature. And I'd like to be able to port-forward remote services without exposing them directly to my local network.

Nico Kadel-Garcia
Senior DevOps Engineer
Cengage Learning
200 Pier Four Blvd.
Boston, MA 02210
nico.kadel-garcia@cengage.com

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Signed SSH keys do not handle port forwarding correctly [ In reply to ]
rory at campbell-lange
May 7, 2021, 12:18 AM
Post #2 of 6 (638 views)
Permalink
On 07/05/21, Kadel-Garcia, Nico (nico.kadel-garcia@cengage.com) wrote:
> So far, so good. But let's say that host is also a tomcat server running unenrypted on port 8000, and I'd like to port-forward the loal service to my localhost.
>
> ssh -I .ssh/vault-signed-key -I .ssh/id_rsa -N -L localhost:8000:localhost:8000 username@10.0.0.10<mailto:username@10.0.0.10> &
> lynx http://localhost:8000

Is the Atlassian Vault actually Hashicorp Vault?

If so does the signed key have "permit-port-forwarding" enabled? i.e.

$ vault write ssh-client-signer/roles/my-role -<<"EOH"
{
"allow_user_certificates": true,
"allowed_users": "*",
"allowed_extensions": "permit-pty,permit-port-forwarding",
"default_extensions": [
{
"permit-pty": ""
}
],
"key_type": "ca",
"default_user": "ubuntu",
"ttl": "30m0s"
}
EOH

https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates#signing-key-role-configuration

Rory
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
RE: [EXTERNAL] Re: Signed SSH keys do not handle port forwarding correctly [ In reply to ]
nico.kadel-garcia at cengage
May 7, 2021, 12:21 AM
Post #3 of 6 (638 views)
Permalink
Oh, yes, it's Hashicorp Vault. It's been a very long day.

I enabled the "permit-port-forwardig" option in the ssh-client-signer role, and it did not help.

Nico Kadel-Garcia
Senior DevOps Engineer
Cengage Learning
200 Pier Four Blvd.
Boston, MA 02210
nico.kadel-garcia@cengage.com

-----Original Message-----
From: Rory Campbell-Lange <rory@campbell-lange.net>
Sent: Friday, May 7, 2021 3:19 AM
To: Kadel-Garcia, Nico <nico.kadel-garcia@cengage.com>
Cc: openssh-unix-dev@mindrot.org
Subject: [EXTERNAL] Re: Signed SSH keys do not handle port forwarding correctly

On 07/05/21, Kadel-Garcia, Nico (nico.kadel-garcia@cengage.com) wrote:
> So far, so good. But let's say that host is also a tomcat server running unenrypted on port 8000, and I'd like to port-forward the loal service to my localhost.
>
> ssh -I .ssh/vault-signed-key -I .ssh/id_rsa -N -L localhost:8000:localhost:8000 username@10.0.0.10<mailto:username@10.0.0.10> &
> lynx https://urldefense.com/v3/__http://localhost:8000__;!!MXVguWEtGgZw!bTWsMBiY0AdKNMvIVtO1-lAHr6ekG21bPt_HyMRhKlh1w1HKfs6drXhIMsTMe4dkR4DJ0pw$

Is the Atlassian Vault actually Hashicorp Vault?

If so does the signed key have "permit-port-forwarding" enabled? i.e.

$ vault write ssh-client-signer/roles/my-role -<<"EOH"
{
"allow_user_certificates": true,
"allowed_users": "*",
"allowed_extensions": "permit-pty,permit-port-forwarding",
"default_extensions": [
{
"permit-pty": ""
}
],
"key_type": "ca",
"default_user": "ubuntu",
"ttl": "30m0s"
}
EOH

https://urldefense.com/v3/__https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates*signing-key-role-configuration__;Iw!!MXVguWEtGgZw!bTWsMBiY0AdKNMvIVtO1-lAHr6ekG21bPt_HyMRhKlh1w1HKfs6drXhIMsTMe4dkoFSUvPA$

Rory
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: [EXTERNAL] Re: Signed SSH keys do not handle port forwarding correctly [ In reply to ]
rory at campbell-lange
May 7, 2021, 12:27 AM
Post #4 of 6 (638 views)
Permalink
On 07/05/21, Kadel-Garcia, Nico (nico.kadel-garcia@cengage.com) wrote:
> Oh, yes, it's Hashicorp Vault. It's been a very long day.
>
> I enabled the "permit-port-forwardig" option in the ssh-client-signer role, and it did not help.

You may want to set the receiving sshd LogLevel to VERBOSE to help find out what the problem is.

Rory
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
RE: [EXTERNAL] Re: Signed SSH keys do not handle port forwarding correctly [ In reply to ]
nico.kadel-garcia at cengage
May 7, 2021, 12:31 AM
Post #5 of 6 (638 views)
Permalink
Fair enough. That's a step for tomorrow. I wasn't sure if *anyone* had tried this.

Nico Kadel-Garcia
Senior DevOps Engineer
Cengage Learning
200 Pier Four Blvd.
Boston, MA 02210
nico.kadel-garcia@cengage.com

-----Original Message-----
From: Rory Campbell-Lange <rory@campbell-lange.net>
Sent: Friday, May 7, 2021 3:27 AM
To: Kadel-Garcia, Nico <nico.kadel-garcia@cengage.com>
Cc: openssh-unix-dev@mindrot.org
Subject: Re: [EXTERNAL] Re: Signed SSH keys do not handle port forwarding correctly

On 07/05/21, Kadel-Garcia, Nico (nico.kadel-garcia@cengage.com) wrote:
> Oh, yes, it's Hashicorp Vault. It's been a very long day.
>
> I enabled the "permit-port-forwardig" option in the ssh-client-signer role, and it did not help.

You may want to set the receiving sshd LogLevel to VERBOSE to help find out what the problem is.

Rory
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: [EXTERNAL] Re: Signed SSH keys do not handle port forwarding correctly [ In reply to ]
b.candler at pobox
May 7, 2021, 12:51 AM
Post #6 of 6 (638 views)
Permalink
On 07/05/2021 08:27, Rory Campbell-Lange wrote:
> On 07/05/21, Kadel-Garcia, Nico (nico.kadel-garcia@cengage.com) wrote:
>> Oh, yes, it's Hashicorp Vault. It's been a very long day.
>>
>> I enabled the "permit-port-forwardig" option in the ssh-client-signer role, and it did not help.
> You may want to set the receiving sshd LogLevel to VERBOSE to help find out what the problem is.

Also, inspect the certificate with ssh-keygen -Lf <file>, just to be
sure the desired extension is in there. e.g.

$ ssh-keygen -Lf test.cert
test.cert:
        Type: ssh-rsa-cert-v01@openssh.com user certificate
        Public key: RSA-CERT SHA256:mVV81....
        Signing CA: RSA SHA256:nqMqs.... (using rsa-sha2-256)
        Key ID: "vault-root-99557c...."
        Serial: 10087169145372651617
        Valid: from 2021-02-22T14:47:42 to 2021-02-23T02:48:12
        Principals:
                test
        Critical Options: (none)
*        Extensions:**
**                permit-pty*

Note that if you put permit-port-forwarding in "allowed_extensions"
and/or "default_extensions" in the signing role, but the client
specifically requests a set of extensions that doesn't include
permit-port-forwarding, then the certificate won't include it.


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal