summaryrefslogtreecommitdiff
path: root/ssh_config.5
diff options
context:
space:
mode:
authorSimon Wilkinson <simon@sxw.org.uk>2014-02-09 16:09:48 +0000
committerColin Watson <cjwatson@debian.org>2014-02-10 02:40:08 +0000
commitcd404114ded78fc51d5d9cbd458d55c9b2f67daa (patch)
treedf7a424d9301b69af906b50d550bfce6e6e2c5f3 /ssh_config.5
parent9a975a9faed7c4f334e8c8490db3e77e102f2b21 (diff)
GSSAPI key exchange support
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2014-02-10 Patch-Name: gssapi.patch
Diffstat (limited to 'ssh_config.5')
-rw-r--r--ssh_config.534
1 files changed, 33 insertions, 1 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 3cadcd767..49505ae9c 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -676,11 +676,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
676The default is 676The default is
677.Dq no . 677.Dq no .
678Note that this option applies to protocol version 2 only. 678Note that this option applies to protocol version 2 only.
679.It Cm GSSAPIKeyExchange
680Specifies whether key exchange based on GSSAPI may be used. When using
681GSSAPI key exchange the server need not have a host key.
682The default is
683.Dq no .
684Note that this option applies to protocol version 2 only.
685.It Cm GSSAPIClientIdentity
686If set, specifies the GSSAPI client identity that ssh should use when
687connecting to the server. The default is unset, which means that the default
688identity will be used.
689.It Cm GSSAPIServerIdentity
690If set, specifies the GSSAPI server identity that ssh should expect when
691connecting to the server. The default is unset, which means that the
692expected GSSAPI server identity will be determined from the target
693hostname.
679.It Cm GSSAPIDelegateCredentials 694.It Cm GSSAPIDelegateCredentials
680Forward (delegate) credentials to the server. 695Forward (delegate) credentials to the server.
681The default is 696The default is
682.Dq no . 697.Dq no .
683Note that this option applies to protocol version 2 only. 698Note that this option applies to protocol version 2 connections using GSSAPI.
699.It Cm GSSAPIRenewalForcesRekey
700If set to
701.Dq yes
702then renewal of the client's GSSAPI credentials will force the rekeying of the
703ssh connection. With a compatible server, this can delegate the renewed
704credentials to a session on the server.
705The default is
706.Dq no .
707.It Cm GSSAPITrustDns
708Set to
709.Dq yes to indicate that the DNS is trusted to securely canonicalize
710the name of the host being connected to. If
711.Dq no, the hostname entered on the
712command line will be passed untouched to the GSSAPI library.
713The default is
714.Dq no .
715This option only applies to protocol version 2 connections using GSSAPI.
684.It Cm HashKnownHosts 716.It Cm HashKnownHosts
685Indicates that 717Indicates that
686.Xr ssh 1 718.Xr ssh 1