"PTY allocation request failed on channel 0" with CertificateFile

I have a problem with TTY allocation when I try to connect via ssh with trusted certificate containing public key.

If I perform classic ssh access with the user, e.g. ssh -i test-key-for-vault -o IdentitiesOnly=yes -t bob@<server-ip> everything works correctly, but if I try to do it using trusted certificates, for example by entering at the bottom of my /etc/ssh/sshd_config file (it is the default one)

TrustedUserCAKeys /etc/ssh/lgt-trusted-user-ca-keys.pem
  Match User bob
  AllowTcpForwarding yes
  PermitTTY yes
  AuthorizedPrincipalsFile /etc/ssh/bob_principals

then with the command

ssh -i test-key-for-vault-rsa -o CertificateFile=signed-cert-rsa.pub -o IdentitiesOnly=yes bob@<server-ip>

I can log in but I can't see my normal shell (i.e., the server name and user name it typically displays on the command line bob@ip-xxx-xxx-xxx:/home/bob)

and if I try to forcibly allocate with -t:

ssh -i test-key-for-vault-rsa -o CertificateFile=signed-cert-rsa.pub -o IdentitiesOnly=yes -t bob@<server-ip>

I get the message

PTY allocation request failed on channel 0

Some context details:

• I am trying to use hashicorp/vault as "source of truth" to generate the certificate
• i am using ssh on ubuntu 22.04 server
• I have already tried the main suggestions that can be found with google search, such as:
  • try entering PermitTTY yes and also PermitTTY no
  • try entering the directive none /dev/pts devpts defaults 0 0 i /etc/fstab and reboot the system

Does anyone have any suggestions, any other checks I can do?

I found that the error was not server-side, but how I generated the certificate.

For example trying to generate the signed cert manually it works!

I've used the command

ssh-keygen -s ca_ssh_key -I "$(date)" -n bob -V +1h test-key-for-vault-rsa.pub

to generate a valid signature. Analyzing it via ssh-keygen -Lf testcert.pub, it appears:

testcert.pub:
        Type: [email protected] user certificate
        Public key: ED25519-CERT SHA256:4VHKC6rJCp7/dI6MkL8vxUPAMEWyWEbJ4J3KgnrgT/Q
        Signing CA: RSA SHA256:ipiIb0Alzu1W38SiwvMWO6VEcYtBK6KgNHmRJcxcQiE (using rsa-sha2-256)
        Key ID: "vault-userpass-bob-e151ca0baac90a9eff748e8c90bf2fc543c03045b25846c9e09dca827ae04ff4"
        Serial: 4538299703429475958
        Valid: from 2023-06-02T12:24:09 to 2023-06-02T13:24:39
        Principals: 
                bob
        Critical Options: (none)
        Extensions: 
                permit-agent-forwarding
                permit-pty

brings up the presence of the "extensions".

I was using a tool that generated the certificate without including this section, which is why it didn't work as I expected.

I hope it will be useful to others as well.