1 files changed, 57 insertions, 0 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 6be1f1aa2..bd86d000c 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -779,10 +779,67 @@ The default is
 Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Cm no .
+.It Cm GSSAPIClientIdentity
+If set, specifies the GSSAPI client identity that ssh should use when
+connecting to the server. The default is unset, which means that the default
+identity will be used.
 .It Cm GSSAPIDelegateCredentials
 Forward (delegate) credentials to the server.
 The default is
 .Cm no .
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI may be used. When using
+GSSAPI key exchange the server need not have a host key.
+The default is
+.Dq no .
+.It Cm GSSAPIRenewalForcesRekey
+If set to
+.Dq yes
+then renewal of the client's GSSAPI credentials will force the rekeying of the
+ssh connection. With a compatible server, this will delegate the renewed
+credentials to a session on the server.
+.Pp
+Checks are made to ensure that credentials are only propagated when the new
+credentials match the old ones on the originating client and where the
+receiving server still has the old set in its cache.
+.Pp
+The default is
+.Dq no .
+.Pp
+For this to work
+.Cm GSSAPIKeyExchange
+needs to be enabled in the server and also used by the client.
+.It Cm GSSAPIServerIdentity
+If set, specifies the GSSAPI server identity that ssh should expect when
+connecting to the server. The default is unset, which means that the
+expected GSSAPI server identity will be determined from the target
+hostname.
+.It Cm GSSAPITrustDns
+Set to
+.Dq yes
+to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If
+.Dq no ,
+the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+.It Cm GSSAPIKexAlgorithms
+The list of key exchange algorithms that are offered for GSSAPI
+key exchange. Possible values are
+.Bd -literal -offset 3n
+gss-gex-sha1-,
+gss-group1-sha1-,
+gss-group14-sha1-,
+gss-group14-sha256-,
+gss-group16-sha512-,
+gss-nistp256-sha256-,
+gss-curve25519-sha256-
+.Ed
+.Pp
+The default is
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- .
+This option only applies to connections using GSSAPI.
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1

diff --git a/ssh_config.5 b/ssh_config.5 index 6be1f1aa2..bd86d000c 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -779,10 +779,67 @@ The default is
779	Specifies whether user authentication based on GSSAPI is allowed.	779	Specifies whether user authentication based on GSSAPI is allowed.
780	The default is	780	The default is
781	.Cm no .	781	.Cm no .
		782	.It Cm GSSAPIClientIdentity
		783	If set, specifies the GSSAPI client identity that ssh should use when
		784	connecting to the server. The default is unset, which means that the default
		785	identity will be used.
782	.It Cm GSSAPIDelegateCredentials	786	.It Cm GSSAPIDelegateCredentials
783	Forward (delegate) credentials to the server.	787	Forward (delegate) credentials to the server.
784	The default is	788	The default is
785	.Cm no .	789	.Cm no .
		790	.It Cm GSSAPIKeyExchange
		791	Specifies whether key exchange based on GSSAPI may be used. When using
		792	GSSAPI key exchange the server need not have a host key.
		793	The default is
		794	.Dq no .
		795	.It Cm GSSAPIRenewalForcesRekey
		796	If set to
		797	.Dq yes
		798	then renewal of the client's GSSAPI credentials will force the rekeying of the
		799	ssh connection. With a compatible server, this will delegate the renewed
		800	credentials to a session on the server.
		801	.Pp
		802	Checks are made to ensure that credentials are only propagated when the new
		803	credentials match the old ones on the originating client and where the
		804	receiving server still has the old set in its cache.
		805	.Pp
		806	The default is
		807	.Dq no .
		808	.Pp
		809	For this to work
		810	.Cm GSSAPIKeyExchange
		811	needs to be enabled in the server and also used by the client.
		812	.It Cm GSSAPIServerIdentity
		813	If set, specifies the GSSAPI server identity that ssh should expect when
		814	connecting to the server. The default is unset, which means that the
		815	expected GSSAPI server identity will be determined from the target
		816	hostname.
		817	.It Cm GSSAPITrustDns
		818	Set to
		819	.Dq yes
		820	to indicate that the DNS is trusted to securely canonicalize
		821	the name of the host being connected to. If
		822	.Dq no ,
		823	the hostname entered on the
		824	command line will be passed untouched to the GSSAPI library.
		825	The default is
		826	.Dq no .
		827	.It Cm GSSAPIKexAlgorithms
		828	The list of key exchange algorithms that are offered for GSSAPI
		829	key exchange. Possible values are
		830	.Bd -literal -offset 3n
		831	gss-gex-sha1-,
		832	gss-group1-sha1-,
		833	gss-group14-sha1-,
		834	gss-group14-sha256-,
		835	gss-group16-sha512-,
		836	gss-nistp256-sha256-,
		837	gss-curve25519-sha256-
		838	.Ed
		839	.Pp
		840	The default is
		841	.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- .
		842	This option only applies to connections using GSSAPI.
786	.It Cm HashKnownHosts	843	.It Cm HashKnownHosts
787	Indicates that	844	Indicates that
788	.Xr ssh 1	845	.Xr ssh 1