doc: accountModify: more details on the --egress-strict-host-key-checking option

bin/plugin/restricted/accountModify

@@ -38,8 +38,13 @@ Usage: --osh SCRIPT_NAME --account ACCOUNT [--option value [--option value [...]
   --mfa-totp-required yes|no|bypass          Enable or disable TOTP requirement for this account in addition to pubkey auth (default is 'no'),
                                                this overrides the global bastion configuration 'accountMFAPolicy'. If 'bypass' is specified,
                                                no OTP will ever be asked, even for groups or plugins explicitly requiring it
-  --egress-strict-host-key-checking POLICY   Modify the egress SSH behavior of this account regarding StrictHostKeyChecking (see man ssh_config),
-                                               POLICY can be 'yes', 'accept-new', 'no', 'ask', 'default' or 'bypass'
+  --egress-strict-host-key-checking POLICY   Modify the egress SSH behavior of this account regarding ``StrictHostKeyChecking`` (see `man ssh_config`),
+                                               POLICY can be 'yes', 'accept-new', 'no', 'ask', 'default' or 'bypass'.
+                                               'bypass' means setting ``StrictHostKeyChecking=no`` and ``UserKnownHostsFile=/dev/null``,
+                                               which will permit egress connections in all cases, even when host keys change all the time on the same target.
+                                               This effectively suppress the host key checking entirely. Please don't enable this blindly.
+                                               'default' will remove this account's ``StrictHostKeyChecking`` setting override.
+                                               All the other policies carry the same meaning that what is documented in `man ssh_config`.
   --personal-egress-mfa-required POLICY      Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server
                                                using the personal keys of the account, POLICY can be 'password', 'totp', 'any' or 'none'
   --always-active yes|no                     Set or unset the account as always active (i.e. disable the check of the 'active' status on this account)

doc/sphinx/plugins/restricted/accountModify.rst

@@ -38,9 +38,14 @@ Modify an account configuration
                                                no OTP will ever be asked, even for groups or plugins explicitly requiring it
 .. option:: --egress-strict-host-key-checking POLICY 
 
-   Modify the egress SSH behavior of this account regarding StrictHostKeyChecking (see man ssh_config),
+   Modify the egress SSH behavior of this account regarding ``StrictHostKeyChecking`` (see `man ssh_config`),
 
-                                               POLICY can be 'yes', 'accept-new', 'no', 'ask', 'default' or 'bypass'
+                                               POLICY can be 'yes', 'accept-new', 'no', 'ask', 'default' or 'bypass'.
+                                               'bypass' means setting ``StrictHostKeyChecking=no`` and ``UserKnownHostsFile=/dev/null``,
+                                               which will permit egress connections in all cases, even when host keys change all the time on the same target.
+                                               This effectively suppress the host key checking entirely. Please don't enable this blindly.
+                                               'default' will remove this account's ``StrictHostKeyChecking`` setting override.
+                                               All the other policies carry the same meaning that what is documented in `man ssh_config`.
 .. option:: --personal-egress-mfa-required POLICY    
 
    Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server