1 files changed, 57 insertions, 0 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 412629637..c3c8b274a 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -754,10 +754,67 @@ The default is
 Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Cm no .
+.It Cm GSSAPIClientIdentity
+If set, specifies the GSSAPI client identity that ssh should use when
+connecting to the server. The default is unset, which means that the default
+identity will be used.
 .It Cm GSSAPIDelegateCredentials
 Forward (delegate) credentials to the server.
 The default is
 .Cm no .
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI may be used. When using
+GSSAPI key exchange the server need not have a host key.
+The default is
+.Dq no .
+.It Cm GSSAPIRenewalForcesRekey
+If set to
+.Dq yes
+then renewal of the client's GSSAPI credentials will force the rekeying of the
+ssh connection. With a compatible server, this will delegate the renewed
+credentials to a session on the server.
+.Pp
+Checks are made to ensure that credentials are only propagated when the new
+credentials match the old ones on the originating client and where the
+receiving server still has the old set in its cache.
+.Pp
+The default is
+.Dq no .
+.Pp
+For this to work
+.Cm GSSAPIKeyExchange
+needs to be enabled in the server and also used by the client.
+.It Cm GSSAPIServerIdentity
+If set, specifies the GSSAPI server identity that ssh should expect when
+connecting to the server. The default is unset, which means that the
+expected GSSAPI server identity will be determined from the target
+hostname.
+.It Cm GSSAPITrustDns
+Set to
+.Dq yes
+to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If
+.Dq no ,
+the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+.It Cm GSSAPIKexAlgorithms
+The list of key exchange algorithms that are offered for GSSAPI
+key exchange. Possible values are
+.Bd -literal -offset 3n
+gss-gex-sha1-,
+gss-group1-sha1-,
+gss-group14-sha1-,
+gss-group14-sha256-,
+gss-group16-sha512-,
+gss-nistp256-sha256-,
+gss-curve25519-sha256-
+.Ed
+.Pp
+The default is
+.Dq gss-gex-sha1-,gss-group14-sha1- .
+This option only applies to protocol version 2 connections using GSSAPI.
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1

diff --git a/ssh_config.5 b/ssh_config.5 index 412629637..c3c8b274a 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -754,10 +754,67 @@ The default is
754	Specifies whether user authentication based on GSSAPI is allowed.	754	Specifies whether user authentication based on GSSAPI is allowed.
755	The default is	755	The default is
756	.Cm no .	756	.Cm no .
		757	.It Cm GSSAPIClientIdentity
		758	If set, specifies the GSSAPI client identity that ssh should use when
		759	connecting to the server. The default is unset, which means that the default
		760	identity will be used.
757	.It Cm GSSAPIDelegateCredentials	761	.It Cm GSSAPIDelegateCredentials
758	Forward (delegate) credentials to the server.	762	Forward (delegate) credentials to the server.
759	The default is	763	The default is
760	.Cm no .	764	.Cm no .
		765	.It Cm GSSAPIKeyExchange
		766	Specifies whether key exchange based on GSSAPI may be used. When using
		767	GSSAPI key exchange the server need not have a host key.
		768	The default is
		769	.Dq no .
		770	.It Cm GSSAPIRenewalForcesRekey
		771	If set to
		772	.Dq yes
		773	then renewal of the client's GSSAPI credentials will force the rekeying of the
		774	ssh connection. With a compatible server, this will delegate the renewed
		775	credentials to a session on the server.
		776	.Pp
		777	Checks are made to ensure that credentials are only propagated when the new
		778	credentials match the old ones on the originating client and where the
		779	receiving server still has the old set in its cache.
		780	.Pp
		781	The default is
		782	.Dq no .
		783	.Pp
		784	For this to work
		785	.Cm GSSAPIKeyExchange
		786	needs to be enabled in the server and also used by the client.
		787	.It Cm GSSAPIServerIdentity
		788	If set, specifies the GSSAPI server identity that ssh should expect when
		789	connecting to the server. The default is unset, which means that the
		790	expected GSSAPI server identity will be determined from the target
		791	hostname.
		792	.It Cm GSSAPITrustDns
		793	Set to
		794	.Dq yes
		795	to indicate that the DNS is trusted to securely canonicalize
		796	the name of the host being connected to. If
		797	.Dq no ,
		798	the hostname entered on the
		799	command line will be passed untouched to the GSSAPI library.
		800	The default is
		801	.Dq no .
		802	.It Cm GSSAPIKexAlgorithms
		803	The list of key exchange algorithms that are offered for GSSAPI
		804	key exchange. Possible values are
		805	.Bd -literal -offset 3n
		806	gss-gex-sha1-,
		807	gss-group1-sha1-,
		808	gss-group14-sha1-,
		809	gss-group14-sha256-,
		810	gss-group16-sha512-,
		811	gss-nistp256-sha256-,
		812	gss-curve25519-sha256-
		813	.Ed
		814	.Pp
		815	The default is
		816	.Dq gss-gex-sha1-,gss-group14-sha1- .
		817	This option only applies to protocol version 2 connections using GSSAPI.
761	.It Cm HashKnownHosts	818	.It Cm HashKnownHosts
762	Indicates that	819	Indicates that
763	.Xr ssh 1	820	.Xr ssh 1