On Fri, 12 Jan 2018, Michael Ströder wrote: > HI! > > I'm looking at sshd(8), section AUTHORIZED_KEYS FILE FORMAT and > description for CLI arg -O in ssh-keygen(1). > > It seems to me that there could be a 1:1 mapping between SSH cert > extensions and authz key options by just adding prefix "permit-" to the > key option. No, they are separate namespaces that happen to share similar options. > But the man pages differ regarding case of "permit-x11-forwarding" and > "X11-forwarding". [1] also says "permit-X11-forwarding". So it might > only be typo in ssh-keygen(1). "permit-x11-forwarding" may appear in a certificate extension. "x11-forwarding" may appear in authorized_keys, but doesn't make any sense unless preceeded by a "restrict" keyword. > Questions: > > Is there a guaranteed 1:1 mapping between SSH cert extensions and authz > key options? No. E.g. there is no "restrict" option for certs because permissions are explicit in certificates and (mostly) implicit in the older authorized_keys format. If I were writing the authorized_keys file format today then I'd make it explicit like the cert options/extensions are now... > Are SSH cert extensions and authz key options treated case-insensitive? > [1] does not say anything about this. Cert extensions are case sensitive authorized_keys options aren't. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev