summaryrefslogtreecommitdiff
path: root/ssh_config.5
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2016-12-23 11:24:59 +0000
commit9f717de15a8e113f7c6a3db52d75ce0172885f95 (patch)
tree75236e36100f74ec69d8e8d38543224237ceacf1 /ssh_config.5
parent971a7653746a6972b907dfe0ce139c06e4a6f482 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2016-08-07 Patch-Name: gssapi.patch
Diffstat (limited to 'ssh_config.5')
-rw-r--r--ssh_config.532
1 files changed, 32 insertions, 0 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 591365f34..a7703fc77 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -748,10 +748,42 @@ The default is
748Specifies whether user authentication based on GSSAPI is allowed. 748Specifies whether user authentication based on GSSAPI is allowed.
749The default is 749The default is
750.Cm no . 750.Cm no .
751.It Cm GSSAPIKeyExchange
752Specifies whether key exchange based on GSSAPI may be used. When using
753GSSAPI key exchange the server need not have a host key.
754The default is
755.Cm no .
756.It Cm GSSAPIClientIdentity
757If set, specifies the GSSAPI client identity that ssh should use when
758connecting to the server. The default is unset, which means that the default
759identity will be used.
760.It Cm GSSAPIServerIdentity
761If set, specifies the GSSAPI server identity that ssh should expect when
762connecting to the server. The default is unset, which means that the
763expected GSSAPI server identity will be determined from the target
764hostname.
751.It Cm GSSAPIDelegateCredentials 765.It Cm GSSAPIDelegateCredentials
752Forward (delegate) credentials to the server. 766Forward (delegate) credentials to the server.
753The default is 767The default is
754.Cm no . 768.Cm no .
769.It Cm GSSAPIRenewalForcesRekey
770If set to
771.Cm yes
772then renewal of the client's GSSAPI credentials will force the rekeying of the
773ssh connection. With a compatible server, this can delegate the renewed
774credentials to a session on the server.
775The default is
776.Cm no .
777.It Cm GSSAPITrustDns
778Set to
779.Cm yes
780to indicate that the DNS is trusted to securely canonicalize
781the name of the host being connected to. If
782.Cm no ,
783the hostname entered on the
784command line will be passed untouched to the GSSAPI library.
785The default is
786.Cm no .
755.It Cm HashKnownHosts 787.It Cm HashKnownHosts
756Indicates that 788Indicates that
757.Xr ssh 1 789.Xr ssh 1