3412 – ssh_config(5): more clearly describe PubkeyAuthentication values

Bug 3412 - ssh_config(5): more clearly describe PubkeyAuthentication values

Summary: ssh_config(5): more clearly describe PubkeyAuthentication values

Status:	NEW

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	Documentation (show other bugs)
Version:	8.9p1
Hardware:	Other All

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-03-23 10:24 AEDT by Christoph Anton Mitterer
Modified:	2022-03-23 10:43 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christoph Anton Mitterer 2022-03-23 10:24:07 AEDT

Hey.

Would it be possible to describe the values for PubkeyAuthentication more clearly?

"yes" and "no" are probably clear, simply enabling/disabling *any* PubkeyAuthentication.

But for "unbound" and "host-bound" it merely says:
"The final two options enable public key authentication while respectively disabling or enabling the OpenSSH host-bound authentication protocol extension required for restricted ssh-agent(1) forwarding."

Okay... so they both enable PubkeyAuthentication... but "unbound" disables the ssh-agent extension, while "host-bound" enables them?

Shouldn't that mean that one of them ("unbound"?) is synonymous to "yes"?

And which of them would be the more restricted options? Since that ssh-agent extension, AFAIU, can only restrict (further), then "host-bound" should be the safest choice?

Thanks,
Chris.

Comment 1 Damien Miller 2022-03-23 10:43:57 AEDT

There's no more restrictive option - the restriction is performed in ssh-agent. The other options are mostly for debugging and regression testing.