6cf9b8
diff -up openssh-7.4p1/ssh_config.5.gss-docs openssh-7.4p1/ssh_config.5
6cf9b8
--- openssh-7.4p1/ssh_config.5.gss-docs	2016-12-23 14:28:34.051714486 +0100
6cf9b8
+++ openssh-7.4p1/ssh_config.5	2016-12-23 14:34:24.568522417 +0100
6cf9b8
@@ -765,10 +765,19 @@ The default is
d9d957
 If set to 
d9d957
 .Dq yes
d9d957
 then renewal of the client's GSSAPI credentials will force the rekeying of the
d9d957
-ssh connection. With a compatible server, this can delegate the renewed 
d9d957
+ssh connection. With a compatible server, this will delegate the renewed 
d9d957
 credentials to a session on the server.
d9d957
+.Pp
d9d957
+Checks are made to ensure that credentials are only propagated when the new
d9d957
+credentials match the old ones on the originating client and where the
d9d957
+receiving server still has the old set in its cache.
d9d957
+.Pp
d9d957
 The default is
d9d957
 .Dq no .
d9d957
+.Pp
d9d957
+For this to work
d9d957
+.Cm GSSAPIKeyExchange
d9d957
+needs to be enabled in the server and also used by the client.
6cf9b8
 .It Cm GSSAPIServerIdentity
6cf9b8
 If set, specifies the GSSAPI server identity that ssh should expect when 
6cf9b8
 connecting to the server. The default is unset, which means that the
6cf9b8
@@ -776,9 +785,11 @@ expected GSSAPI server identity will be
6cf9b8
 hostname.
d9d957
 .It Cm GSSAPITrustDns
d9d957
 Set to 
d9d957
-.Dq yes to indicate that the DNS is trusted to securely canonicalize
d9d957
+.Dq yes
d9d957
+to indicate that the DNS is trusted to securely canonicalize
d9d957
 the name of the host being connected to. If 
d9d957
-.Dq no, the hostname entered on the
d9d957
+.Dq no ,
d9d957
+the hostname entered on the
d9d957
 command line will be passed untouched to the GSSAPI library.
d9d957
 The default is
d9d957
 .Dq no .
6cf9b8
diff -up openssh-7.4p1/sshd_config.5.gss-docs openssh-7.4p1/sshd_config.5
6cf9b8
--- openssh-7.4p1/sshd_config.5.gss-docs	2016-12-23 14:28:34.043714490 +0100
6cf9b8
+++ openssh-7.4p1/sshd_config.5	2016-12-23 14:28:34.051714486 +0100
6cf9b8
@@ -652,6 +652,10 @@ Controls whether the user's GSSAPI crede
d9d957
 successful connection rekeying. This option can be used to accepted renewed 
d9d957
 or updated credentials from a compatible client. The default is
d9d957
 .Dq no .
d9d957
+.Pp
d9d957
+For this to work
d9d957
+.Cm GSSAPIKeyExchange
d9d957
+needs to be enabled in the server and also used by the client.
d9d957
 .It Cm HostbasedAcceptedKeyTypes
d9d957
 Specifies the key types that will be accepted for hostbased authentication
d9d957
 as a comma-separated pattern list.