SSH CA cannot get a tty

con-f-use · September 11, 2021, 4:18pm

Hi,

so far I have managed to configure my server so that the client can ssh with a key singed by vault. I.e. I can do:

user@client $ ssh-keygen -Lf ~/.ssh/server-signed.pub
/tmp/qashare-signed-cert.pub:
        Type: ssh-rsa-cert-v01@openssh.com user certificate
        Public key: RSA-CERT SHA256:...
        Signing CA: RSA SHA256:... (using ssh-rsa)
        Key ID: "vault-..."
        Serial: ...
        Valid: from 2021-09-11T17:43:41 to 2021-09-11T18:14:11
        Principals: 
                serveruser
        Critical Options: (none)
        Extensions: 
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc
user@client $ ssh -i ~/.ssh/id_rsa -i ~/.ssh/server_signed.pub serveruser@server bash --login
hostname
server
echo $USER
serveruser
vim .bashrc
Vim: Warning: Output is not to a terminal
Vim: Warning: Input is not from a terminal

The problem, as you can see from the output above, is that the permit-pty extension doesn’t seem to work properly, because neither do I see a prompt on the server, nor a motd and when I use something like vim on the server get “not a terminal” type of warnings.

How do I get this working just like it was a regular ssh session?

con-f-use · September 11, 2021, 4:27pm

Please note that I have this in the role configuration:

mikegreen · September 13, 2021, 3:46pm

Does /var/log/auth.log show anything on the server?

con-f-use · September 15, 2021, 4:32pm

Thanks for the help, the problem was a stupid one:

I used

ssh -i ~/.ssh/id_rsa -i ~/.ssh/server_signed.pub serveruser@server bash --login

when I should have used

ssh -i ~/.ssh/id_rsa -i ~/.ssh/server_signed.pub serveruser@server

No idea why, though.