1 files changed, 57 insertions, 0 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index dc010ccbd..e2a2359f9 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -766,10 +766,67 @@ The default is
 Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Cm no .
+.It Cm GSSAPIClientIdentity
+If set, specifies the GSSAPI client identity that ssh should use when
+connecting to the server. The default is unset, which means that the default
+identity will be used.
 .It Cm GSSAPIDelegateCredentials
 Forward (delegate) credentials to the server.
 The default is
 .Cm no .
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI may be used. When using
+GSSAPI key exchange the server need not have a host key.
+The default is
+.Dq no .
+.It Cm GSSAPIRenewalForcesRekey
+If set to
+.Dq yes
+then renewal of the client's GSSAPI credentials will force the rekeying of the
+ssh connection. With a compatible server, this will delegate the renewed
+credentials to a session on the server.
+.Pp
+Checks are made to ensure that credentials are only propagated when the new
+credentials match the old ones on the originating client and where the
+receiving server still has the old set in its cache.
+.Pp
+The default is
+.Dq no .
+.Pp
+For this to work
+.Cm GSSAPIKeyExchange
+needs to be enabled in the server and also used by the client.
+.It Cm GSSAPIServerIdentity
+If set, specifies the GSSAPI server identity that ssh should expect when
+connecting to the server. The default is unset, which means that the
+expected GSSAPI server identity will be determined from the target
+hostname.
+.It Cm GSSAPITrustDns
+Set to
+.Dq yes
+to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If
+.Dq no ,
+the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+.It Cm GSSAPIKexAlgorithms
+The list of key exchange algorithms that are offered for GSSAPI
+key exchange. Possible values are
+.Bd -literal -offset 3n
+gss-gex-sha1-,
+gss-group1-sha1-,
+gss-group14-sha1-,
+gss-group14-sha256-,
+gss-group16-sha512-,
+gss-nistp256-sha256-,
+gss-curve25519-sha256-
+.Ed
+.Pp
+The default is
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- .
+This option only applies to connections using GSSAPI.
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1

diff --git a/ssh_config.5 b/ssh_config.5 index dc010ccbd..e2a2359f9 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -766,10 +766,67 @@ The default is
766	Specifies whether user authentication based on GSSAPI is allowed.	766	Specifies whether user authentication based on GSSAPI is allowed.
767	The default is	767	The default is
768	.Cm no .	768	.Cm no .
		769	.It Cm GSSAPIClientIdentity
		770	If set, specifies the GSSAPI client identity that ssh should use when
		771	connecting to the server. The default is unset, which means that the default
		772	identity will be used.
769	.It Cm GSSAPIDelegateCredentials	773	.It Cm GSSAPIDelegateCredentials
770	Forward (delegate) credentials to the server.	774	Forward (delegate) credentials to the server.
771	The default is	775	The default is
772	.Cm no .	776	.Cm no .
		777	.It Cm GSSAPIKeyExchange
		778	Specifies whether key exchange based on GSSAPI may be used. When using
		779	GSSAPI key exchange the server need not have a host key.
		780	The default is
		781	.Dq no .
		782	.It Cm GSSAPIRenewalForcesRekey
		783	If set to
		784	.Dq yes
		785	then renewal of the client's GSSAPI credentials will force the rekeying of the
		786	ssh connection. With a compatible server, this will delegate the renewed
		787	credentials to a session on the server.
		788	.Pp
		789	Checks are made to ensure that credentials are only propagated when the new
		790	credentials match the old ones on the originating client and where the
		791	receiving server still has the old set in its cache.
		792	.Pp
		793	The default is
		794	.Dq no .
		795	.Pp
		796	For this to work
		797	.Cm GSSAPIKeyExchange
		798	needs to be enabled in the server and also used by the client.
		799	.It Cm GSSAPIServerIdentity
		800	If set, specifies the GSSAPI server identity that ssh should expect when
		801	connecting to the server. The default is unset, which means that the
		802	expected GSSAPI server identity will be determined from the target
		803	hostname.
		804	.It Cm GSSAPITrustDns
		805	Set to
		806	.Dq yes
		807	to indicate that the DNS is trusted to securely canonicalize
		808	the name of the host being connected to. If
		809	.Dq no ,
		810	the hostname entered on the
		811	command line will be passed untouched to the GSSAPI library.
		812	The default is
		813	.Dq no .
		814	.It Cm GSSAPIKexAlgorithms
		815	The list of key exchange algorithms that are offered for GSSAPI
		816	key exchange. Possible values are
		817	.Bd -literal -offset 3n
		818	gss-gex-sha1-,
		819	gss-group1-sha1-,
		820	gss-group14-sha1-,
		821	gss-group14-sha256-,
		822	gss-group16-sha512-,
		823	gss-nistp256-sha256-,
		824	gss-curve25519-sha256-
		825	.Ed
		826	.Pp
		827	The default is
		828	.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- .
		829	This option only applies to connections using GSSAPI.
773	.It Cm HashKnownHosts	830	.It Cm HashKnownHosts
774	Indicates that	831	Indicates that
775	.Xr ssh 1	832	.Xr ssh 1