upstream commit

add knob to relax GSSAPI host credential check for multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker (kerberos/GSSAPI is not compiled by default on OpenBSD) Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
author: djm@openbsd.org <djm@openbsd.org> 2015-05-22 03:50:02 +0000
committer: Damien Miller <djm@mindrot.org> 2015-05-22 20:02:17 +1000
commit: d7c31da4d42c115843edee2074d7d501f8804420 (patch)
tree: 9d41af43b92f502fcce33c184064daa712d941cc /sshd_config.5
parent: aa72196a00be6e0b666215edcffbc10af234cb0e (diff)
1 files changed, 17 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 884e767b8..76179adff 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.202 2015/05/21 06:43:31 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.203 2015/05/22 03:50:02 djm Exp $
-.Dd $Mdocdate: May 21 2015 $
+.Dd $Mdocdate: May 22 2015 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -622,6 +622,21 @@ on logout.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIStrictAcceptorCheck
+Determines whether to be strict about the identity of the GSSAPI acceptor
+a client authenticates against.
+If set to
+.Dq yes
+then the client must authenticate against the
+.Pa host
+service on the current hostname.
+If set to
+.Dq no
+then the client may authenticate against any service key stored in the
+machine's default store.
+This facility is provided to assist with operation on multi homed machines.
+The default is
+.Dq yes .
 .It Cm HostbasedAcceptedKeyTypes
 Specifies the key types that will be accepted for hostbased authentication
 as a comma-separated pattern list.
author	djm@openbsd.org <djm@openbsd.org>	2015-05-22 03:50:02 +0000
committer	Damien Miller <djm@mindrot.org>	2015-05-22 20:02:17 +1000
commit	d7c31da4d42c115843edee2074d7d501f8804420 (patch)
tree	9d41af43b92f502fcce33c184064daa712d941cc /sshd_config.5
parent	aa72196a00be6e0b666215edcffbc10af234cb0e (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 884e767b8..76179adff 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.202 2015/05/21 06:43:31 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.203 2015/05/22 03:50:02 djm Exp $
37	.Dd $Mdocdate: May 21 2015 $	37	.Dd $Mdocdate: May 22 2015 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -622,6 +622,21 @@ on logout.
622	The default is	622	The default is
623	.Dq yes .	623	.Dq yes .
624	Note that this option applies to protocol version 2 only.	624	Note that this option applies to protocol version 2 only.
		625	.It Cm GSSAPIStrictAcceptorCheck
		626	Determines whether to be strict about the identity of the GSSAPI acceptor
		627	a client authenticates against.
		628	If set to
		629	.Dq yes
		630	then the client must authenticate against the
		631	.Pa host
		632	service on the current hostname.
		633	If set to
		634	.Dq no
		635	then the client may authenticate against any service key stored in the
		636	machine's default store.
		637	This facility is provided to assist with operation on multi homed machines.
		638	The default is
		639	.Dq yes .
625	.It Cm HostbasedAcceptedKeyTypes	640	.It Cm HostbasedAcceptedKeyTypes
626	Specifies the key types that will be accepted for hostbased authentication	641	Specifies the key types that will be accepted for hostbased authentication
627	as a comma-separated pattern list.	642	as a comma-separated pattern list.