openssh bugs - Mar 2022 - [Bug 3412] New: ssh_config(5): more clearly describe PubkeyAuthentication values

https://bugzilla.mindrot.org/show_bug.cgi?id=3412

            Bug ID: 3412
           Summary: ssh_config(5): more clearly describe
                    PubkeyAuthentication values
           Product: Portable OpenSSH
           Version: 8.9p1
          Hardware: Other
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Documentation
          Assignee: unassigned-bugs at mindrot.org
          Reporter: calestyo at scientia.org

Hey.

Would it be possible to describe the values for PubkeyAuthentication
more clearly?

"yes" and "no" are probably clear, simply enabling/disabling
*any*
PubkeyAuthentication.

But for "unbound" and "host-bound" it merely says:
"The final two options enable public key authentication while
respectively disabling or enabling the OpenSSH host-bound
authentication protocol extension required for restricted ssh-agent(1)
forwarding."

Okay... so they both enable PubkeyAuthentication... but "unbound"
disables the ssh-agent extension, while "host-bound" enables them?

Shouldn't that mean that one of them ("unbound"?) is synonymous to
"yes"?

And which of them would be the more restricted options? Since that
ssh-agent extension, AFAIU, can only restrict (further), then
"host-bound" should be the safest choice?

Thanks,
Chris.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3412

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
There's no more restrictive option - the restriction is performed in
ssh-agent. The other options are mostly for debugging and regression
testing.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3412

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WONTFIX
             Status|NEW                         |RESOLVED

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.