diff options
author | djm@openbsd.org <djm@openbsd.org> | 2015-05-22 03:50:02 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2015-05-22 20:02:17 +1000 |
commit | d7c31da4d42c115843edee2074d7d501f8804420 (patch) | |
tree | 9d41af43b92f502fcce33c184064daa712d941cc /sshd_config.5 | |
parent | aa72196a00be6e0b666215edcffbc10af234cb0e (diff) |
upstream commit
add knob to relax GSSAPI host credential check for
multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker
(kerberos/GSSAPI is not compiled by default on OpenBSD)
Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 884e767b8..76179adff 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.202 2015/05/21 06:43:31 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.203 2015/05/22 03:50:02 djm Exp $ |
37 | .Dd $Mdocdate: May 21 2015 $ | 37 | .Dd $Mdocdate: May 22 2015 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -622,6 +622,21 @@ on logout. | |||
622 | The default is | 622 | The default is |
623 | .Dq yes . | 623 | .Dq yes . |
624 | Note that this option applies to protocol version 2 only. | 624 | Note that this option applies to protocol version 2 only. |
625 | .It Cm GSSAPIStrictAcceptorCheck | ||
626 | Determines whether to be strict about the identity of the GSSAPI acceptor | ||
627 | a client authenticates against. | ||
628 | If set to | ||
629 | .Dq yes | ||
630 | then the client must authenticate against the | ||
631 | .Pa host | ||
632 | service on the current hostname. | ||
633 | If set to | ||
634 | .Dq no | ||
635 | then the client may authenticate against any service key stored in the | ||
636 | machine's default store. | ||
637 | This facility is provided to assist with operation on multi homed machines. | ||
638 | The default is | ||
639 | .Dq yes . | ||
625 | .It Cm HostbasedAcceptedKeyTypes | 640 | .It Cm HostbasedAcceptedKeyTypes |
626 | Specifies the key types that will be accepted for hostbased authentication | 641 | Specifies the key types that will be accepted for hostbased authentication |
627 | as a comma-separated pattern list. | 642 | as a comma-separated pattern list. |