summaryrefslogtreecommitdiff
path: root/ssh_config.5
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2016-02-29 12:31:33 +0000
commit374db1757fc18bd6647539b80977e6907a2cecd4 (patch)
tree9fd8227bdf3548c6fcce1e72b7edf3ebaf71d050 /ssh_config.5
parentc52a95cc4754e6630c96fe65ae0c65eb41d2c590 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2016-01-04 Patch-Name: gssapi.patch
Diffstat (limited to 'ssh_config.5')
-rw-r--r--ssh_config.532
1 files changed, 32 insertions, 0 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index caf13a62d..9060d5be2 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -826,10 +826,42 @@ The default is
826Specifies whether user authentication based on GSSAPI is allowed. 826Specifies whether user authentication based on GSSAPI is allowed.
827The default is 827The default is
828.Dq no . 828.Dq no .
829.It Cm GSSAPIKeyExchange
830Specifies whether key exchange based on GSSAPI may be used. When using
831GSSAPI key exchange the server need not have a host key.
832The default is
833.Dq no .
834.It Cm GSSAPIClientIdentity
835If set, specifies the GSSAPI client identity that ssh should use when
836connecting to the server. The default is unset, which means that the default
837identity will be used.
838.It Cm GSSAPIServerIdentity
839If set, specifies the GSSAPI server identity that ssh should expect when
840connecting to the server. The default is unset, which means that the
841expected GSSAPI server identity will be determined from the target
842hostname.
829.It Cm GSSAPIDelegateCredentials 843.It Cm GSSAPIDelegateCredentials
830Forward (delegate) credentials to the server. 844Forward (delegate) credentials to the server.
831The default is 845The default is
832.Dq no . 846.Dq no .
847.It Cm GSSAPIRenewalForcesRekey
848If set to
849.Dq yes
850then renewal of the client's GSSAPI credentials will force the rekeying of the
851ssh connection. With a compatible server, this can delegate the renewed
852credentials to a session on the server.
853The default is
854.Dq no .
855.It Cm GSSAPITrustDns
856Set to
857.Dq yes
858to indicate that the DNS is trusted to securely canonicalize
859the name of the host being connected to. If
860.Dq no ,
861the hostname entered on the
862command line will be passed untouched to the GSSAPI library.
863The default is
864.Dq no .
833.It Cm HashKnownHosts 865.It Cm HashKnownHosts
834Indicates that 866Indicates that
835.Xr ssh 1 867.Xr ssh 1