GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2019-06-05 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2019-06-05 07:06:44 +0100
commit: 7ce79be85036c4b36937f1b1ba85f6094068412c (patch)
tree: c964917d8395ef5605cff9513aad4458b222beae /ssh.1
parent: 102062f825fb26a74295a1c089c00c4c4c76b68a (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/ssh.1 b/ssh.1
index 9480eba8d..a1c7d2305 100644
--- a/ssh.1
+++ b/ssh.1
@@ -497,7 +497,13 @@ For full details of the options listed below, and their possible values, see
 .It GatewayPorts
 .It GlobalKnownHostsFile
 .It GSSAPIAuthentication
+.It GSSAPIKeyExchange
+.It GSSAPIClientIdentity
 .It GSSAPIDelegateCredentials
+.It GSSAPIKexAlgorithms
+.It GSSAPIRenewalForcesRekey
+.It GSSAPIServerIdentity
+.It GSSAPITrustDns
 .It HashKnownHosts
 .It Host
 .It HostbasedAuthentication
@@ -573,6 +579,8 @@ flag),
 (supported message integrity codes),
 .Ar kex
 (key exchange algorithms),
+.Ar kex-gss
+(GSSAPI key exchange algorithms),
 .Ar key
 (key types),
 .Ar key-cert
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2019-06-05 07:06:44 +0100
commit	7ce79be85036c4b36937f1b1ba85f6094068412c (patch)
tree	c964917d8395ef5605cff9513aad4458b222beae /ssh.1
parent	102062f825fb26a74295a1c089c00c4c4c76b68a (diff)

diff --git a/ssh.1 b/ssh.1 index 9480eba8d..a1c7d2305 100644 --- a/ssh.1 +++ b/ssh.1
@@ -497,7 +497,13 @@ For full details of the options listed below, and their possible values, see
497	.It GatewayPorts	497	.It GatewayPorts
498	.It GlobalKnownHostsFile	498	.It GlobalKnownHostsFile
499	.It GSSAPIAuthentication	499	.It GSSAPIAuthentication
		500	.It GSSAPIKeyExchange
		501	.It GSSAPIClientIdentity
500	.It GSSAPIDelegateCredentials	502	.It GSSAPIDelegateCredentials
		503	.It GSSAPIKexAlgorithms
		504	.It GSSAPIRenewalForcesRekey
		505	.It GSSAPIServerIdentity
		506	.It GSSAPITrustDns
501	.It HashKnownHosts	507	.It HashKnownHosts
502	.It Host	508	.It Host
503	.It HostbasedAuthentication	509	.It HostbasedAuthentication
@@ -573,6 +579,8 @@ flag),
573	(supported message integrity codes),	579	(supported message integrity codes),
574	.Ar kex	580	.Ar kex
575	(key exchange algorithms),	581	(key exchange algorithms),
		582	.Ar kex-gss
		583	(GSSAPI key exchange algorithms),
576	.Ar key	584	.Ar key
577	(key types),	585	(key types),
578	.Ar key-cert	586	.Ar key-cert