1 files changed, 57 insertions, 0 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 02a87892d..f4668673b 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -758,10 +758,67 @@ The default is
 Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Cm no .
+.It Cm GSSAPIClientIdentity
+If set, specifies the GSSAPI client identity that ssh should use when
+connecting to the server. The default is unset, which means that the default
+identity will be used.
 .It Cm GSSAPIDelegateCredentials
 Forward (delegate) credentials to the server.
 The default is
 .Cm no .
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI may be used. When using
+GSSAPI key exchange the server need not have a host key.
+The default is
+.Dq no .
+.It Cm GSSAPIRenewalForcesRekey
+If set to
+.Dq yes
+then renewal of the client's GSSAPI credentials will force the rekeying of the
+ssh connection. With a compatible server, this will delegate the renewed
+credentials to a session on the server.
+.Pp
+Checks are made to ensure that credentials are only propagated when the new
+credentials match the old ones on the originating client and where the
+receiving server still has the old set in its cache.
+.Pp
+The default is
+.Dq no .
+.Pp
+For this to work
+.Cm GSSAPIKeyExchange
+needs to be enabled in the server and also used by the client.
+.It Cm GSSAPIServerIdentity
+If set, specifies the GSSAPI server identity that ssh should expect when
+connecting to the server. The default is unset, which means that the
+expected GSSAPI server identity will be determined from the target
+hostname.
+.It Cm GSSAPITrustDns
+Set to
+.Dq yes
+to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If
+.Dq no ,
+the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+.It Cm GSSAPIKexAlgorithms
+The list of key exchange algorithms that are offered for GSSAPI
+key exchange. Possible values are
+.Bd -literal -offset 3n
+gss-gex-sha1-,
+gss-group1-sha1-,
+gss-group14-sha1-,
+gss-group14-sha256-,
+gss-group16-sha512-,
+gss-nistp256-sha256-,
+gss-curve25519-sha256-
+.Ed
+.Pp
+The default is
+.Dq gss-gex-sha1-,gss-group14-sha1- .
+This option only applies to protocol version 2 connections using GSSAPI.
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1

diff --git a/ssh_config.5 b/ssh_config.5 index 02a87892d..f4668673b 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -758,10 +758,67 @@ The default is
758	Specifies whether user authentication based on GSSAPI is allowed.	758	Specifies whether user authentication based on GSSAPI is allowed.
759	The default is	759	The default is
760	.Cm no .	760	.Cm no .
		761	.It Cm GSSAPIClientIdentity
		762	If set, specifies the GSSAPI client identity that ssh should use when
		763	connecting to the server. The default is unset, which means that the default
		764	identity will be used.
761	.It Cm GSSAPIDelegateCredentials	765	.It Cm GSSAPIDelegateCredentials
762	Forward (delegate) credentials to the server.	766	Forward (delegate) credentials to the server.
763	The default is	767	The default is
764	.Cm no .	768	.Cm no .
		769	.It Cm GSSAPIKeyExchange
		770	Specifies whether key exchange based on GSSAPI may be used. When using
		771	GSSAPI key exchange the server need not have a host key.
		772	The default is
		773	.Dq no .
		774	.It Cm GSSAPIRenewalForcesRekey
		775	If set to
		776	.Dq yes
		777	then renewal of the client's GSSAPI credentials will force the rekeying of the
		778	ssh connection. With a compatible server, this will delegate the renewed
		779	credentials to a session on the server.
		780	.Pp
		781	Checks are made to ensure that credentials are only propagated when the new
		782	credentials match the old ones on the originating client and where the
		783	receiving server still has the old set in its cache.
		784	.Pp
		785	The default is
		786	.Dq no .
		787	.Pp
		788	For this to work
		789	.Cm GSSAPIKeyExchange
		790	needs to be enabled in the server and also used by the client.
		791	.It Cm GSSAPIServerIdentity
		792	If set, specifies the GSSAPI server identity that ssh should expect when
		793	connecting to the server. The default is unset, which means that the
		794	expected GSSAPI server identity will be determined from the target
		795	hostname.
		796	.It Cm GSSAPITrustDns
		797	Set to
		798	.Dq yes
		799	to indicate that the DNS is trusted to securely canonicalize
		800	the name of the host being connected to. If
		801	.Dq no ,
		802	the hostname entered on the
		803	command line will be passed untouched to the GSSAPI library.
		804	The default is
		805	.Dq no .
		806	.It Cm GSSAPIKexAlgorithms
		807	The list of key exchange algorithms that are offered for GSSAPI
		808	key exchange. Possible values are
		809	.Bd -literal -offset 3n
		810	gss-gex-sha1-,
		811	gss-group1-sha1-,
		812	gss-group14-sha1-,
		813	gss-group14-sha256-,
		814	gss-group16-sha512-,
		815	gss-nistp256-sha256-,
		816	gss-curve25519-sha256-
		817	.Ed
		818	.Pp
		819	The default is
		820	.Dq gss-gex-sha1-,gss-group14-sha1- .
		821	This option only applies to protocol version 2 connections using GSSAPI.
765	.It Cm HashKnownHosts	822	.It Cm HashKnownHosts
766	Indicates that	823	Indicates that
767	.Xr ssh 1	824	.Xr ssh 1