|
 |
6cf9b8e |
diff -up openssh-7.4p1/ssh_config.5.gss-docs openssh-7.4p1/ssh_config.5
|
|
|
6cf9b8e |
--- openssh-7.4p1/ssh_config.5.gss-docs 2016-12-23 14:28:34.051714486 +0100
|
|
|
6cf9b8e |
+++ openssh-7.4p1/ssh_config.5 2016-12-23 14:34:24.568522417 +0100
|
|
|
6cf9b8e |
@@ -765,10 +765,19 @@ The default is
|
|
|
d9d9575 |
If set to
|
|
|
d9d9575 |
.Dq yes
|
|
|
d9d9575 |
then renewal of the client's GSSAPI credentials will force the rekeying of the
|
|
|
d9d9575 |
-ssh connection. With a compatible server, this can delegate the renewed
|
|
|
d9d9575 |
+ssh connection. With a compatible server, this will delegate the renewed
|
|
|
d9d9575 |
credentials to a session on the server.
|
|
|
d9d9575 |
+.Pp
|
|
|
d9d9575 |
+Checks are made to ensure that credentials are only propagated when the new
|
|
|
d9d9575 |
+credentials match the old ones on the originating client and where the
|
|
|
d9d9575 |
+receiving server still has the old set in its cache.
|
|
|
d9d9575 |
+.Pp
|
|
|
d9d9575 |
The default is
|
|
|
d9d9575 |
.Dq no .
|
|
|
d9d9575 |
+.Pp
|
|
|
d9d9575 |
+For this to work
|
|
|
d9d9575 |
+.Cm GSSAPIKeyExchange
|
|
|
d9d9575 |
+needs to be enabled in the server and also used by the client.
|
|
|
6cf9b8e |
.It Cm GSSAPIServerIdentity
|
|
|
6cf9b8e |
If set, specifies the GSSAPI server identity that ssh should expect when
|
|
|
6cf9b8e |
connecting to the server. The default is unset, which means that the
|
|
|
6cf9b8e |
@@ -776,9 +785,11 @@ expected GSSAPI server identity will be
|
|
|
6cf9b8e |
hostname.
|
|
|
d9d9575 |
.It Cm GSSAPITrustDns
|
|
|
d9d9575 |
Set to
|
|
|
d9d9575 |
-.Dq yes to indicate that the DNS is trusted to securely canonicalize
|
|
|
d9d9575 |
+.Dq yes
|
|
|
d9d9575 |
+to indicate that the DNS is trusted to securely canonicalize
|
|
|
d9d9575 |
the name of the host being connected to. If
|
|
|
d9d9575 |
-.Dq no, the hostname entered on the
|
|
|
d9d9575 |
+.Dq no ,
|
|
|
d9d9575 |
+the hostname entered on the
|
|
|
d9d9575 |
command line will be passed untouched to the GSSAPI library.
|
|
|
d9d9575 |
The default is
|
|
|
d9d9575 |
.Dq no .
|
|
|
6cf9b8e |
diff -up openssh-7.4p1/sshd_config.5.gss-docs openssh-7.4p1/sshd_config.5
|
|
|
6cf9b8e |
--- openssh-7.4p1/sshd_config.5.gss-docs 2016-12-23 14:28:34.043714490 +0100
|
|
|
6cf9b8e |
+++ openssh-7.4p1/sshd_config.5 2016-12-23 14:28:34.051714486 +0100
|
|
|
6cf9b8e |
@@ -652,6 +652,10 @@ Controls whether the user's GSSAPI crede
|
|
|
d9d9575 |
successful connection rekeying. This option can be used to accepted renewed
|
|
|
d9d9575 |
or updated credentials from a compatible client. The default is
|
|
|
d9d9575 |
.Dq no .
|
|
|
d9d9575 |
+.Pp
|
|
|
d9d9575 |
+For this to work
|
|
|
d9d9575 |
+.Cm GSSAPIKeyExchange
|
|
|
d9d9575 |
+needs to be enabled in the server and also used by the client.
|
|
|
d9d9575 |
.It Cm HostbasedAcceptedKeyTypes
|
|
|
d9d9575 |
Specifies the key types that will be accepted for hostbased authentication
|
|
|
bbf61da |
as a list of comma-separated patterns.
|