GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2020-02-21 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2020-02-21 12:01:36 +0000
commit: 34aff3aa136e5a65f441b25811dd466488fda087 (patch)
tree: e2170faeed03d67545255d3d3c9d62280414c0b2 /ssh.1
parent: f0de78bd4f29fa688c5df116f3f9cd43543a76d0 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/ssh.1 b/ssh.1
index 60de6087a..db5c65bc7 100644
--- a/ssh.1
+++ b/ssh.1
@@ -503,7 +503,13 @@ For full details of the options listed below, and their possible values, see
 .It GatewayPorts
 .It GlobalKnownHostsFile
 .It GSSAPIAuthentication
+.It GSSAPIKeyExchange
+.It GSSAPIClientIdentity
 .It GSSAPIDelegateCredentials
+.It GSSAPIKexAlgorithms
+.It GSSAPIRenewalForcesRekey
+.It GSSAPIServerIdentity
+.It GSSAPITrustDns
 .It HashKnownHosts
 .It Host
 .It HostbasedAuthentication
@@ -579,6 +585,8 @@ flag),
 (supported message integrity codes),
 .Ar kex
 (key exchange algorithms),
+.Ar kex-gss
+(GSSAPI key exchange algorithms),
 .Ar key
 (key types),
 .Ar key-cert
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2020-02-21 12:01:36 +0000
commit	34aff3aa136e5a65f441b25811dd466488fda087 (patch)
tree	e2170faeed03d67545255d3d3c9d62280414c0b2 /ssh.1
parent	f0de78bd4f29fa688c5df116f3f9cd43543a76d0 (diff)

diff --git a/ssh.1 b/ssh.1 index 60de6087a..db5c65bc7 100644 --- a/ssh.1 +++ b/ssh.1
@@ -503,7 +503,13 @@ For full details of the options listed below, and their possible values, see
503	.It GatewayPorts	503	.It GatewayPorts
504	.It GlobalKnownHostsFile	504	.It GlobalKnownHostsFile
505	.It GSSAPIAuthentication	505	.It GSSAPIAuthentication
		506	.It GSSAPIKeyExchange
		507	.It GSSAPIClientIdentity
506	.It GSSAPIDelegateCredentials	508	.It GSSAPIDelegateCredentials
		509	.It GSSAPIKexAlgorithms
		510	.It GSSAPIRenewalForcesRekey
		511	.It GSSAPIServerIdentity
		512	.It GSSAPITrustDns
507	.It HashKnownHosts	513	.It HashKnownHosts
508	.It Host	514	.It Host
509	.It HostbasedAuthentication	515	.It HostbasedAuthentication
@@ -579,6 +585,8 @@ flag),
579	(supported message integrity codes),	585	(supported message integrity codes),
580	.Ar kex	586	.Ar kex
581	(key exchange algorithms),	587	(key exchange algorithms),
		588	.Ar kex-gss
		589	(GSSAPI key exchange algorithms),
582	.Ar key	590	.Ar key
583	(key types),	591	(key types),
584	.Ar key-cert	592	.Ar key-cert