1 files changed, 30 insertions, 0 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 70ccea449..f6b41a2f8 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -646,6 +646,11 @@ Specifies whether to automatically destroy the user's credentials cache
 on logout.
 The default is
 .Cm yes .
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
+doesn't rely on ssh keys to verify host identity.
+The default is
+.Cm no .
 .It Cm GSSAPIStrictAcceptorCheck
 Determines whether to be strict about the identity of the GSSAPI acceptor
 a client authenticates against.
@@ -660,6 +665,31 @@ machine's default store.
 This facility is provided to assist with operation on multi homed machines.
 The default is
 .Cm yes .
+.It Cm GSSAPIStoreCredentialsOnRekey
+Controls whether the user's GSSAPI credentials should be updated following a
+successful connection rekeying. This option can be used to accepted renewed
+or updated credentials from a compatible client. The default is
+.Dq no .
+.Pp
+For this to work
+.Cm GSSAPIKeyExchange
+needs to be enabled in the server and also used by the client.
+.It Cm GSSAPIKexAlgorithms
+The list of key exchange algorithms that are accepted by GSSAPI
+key exchange. Possible values are
+.Bd -literal -offset 3n
+gss-gex-sha1-,
+gss-group1-sha1-,
+gss-group14-sha1-,
+gss-group14-sha256-,
+gss-group16-sha512-,
+gss-nistp256-sha256-,
+gss-curve25519-sha256-
+.Ed
+.Pp
+The default is
+.Dq gss-gex-sha1-,gss-group14-sha1- .
+This option only applies to protocol version 2 connections using GSSAPI.
 .It Cm HostbasedAcceptedKeyTypes
 Specifies the key types that will be accepted for hostbased authentication
 as a list of comma-separated patterns.

diff --git a/sshd_config.5 b/sshd_config.5 index 70ccea449..f6b41a2f8 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -646,6 +646,11 @@ Specifies whether to automatically destroy the user's credentials cache
646	on logout.	646	on logout.
647	The default is	647	The default is
648	.Cm yes .	648	.Cm yes .
		649	.It Cm GSSAPIKeyExchange
		650	Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
		651	doesn't rely on ssh keys to verify host identity.
		652	The default is
		653	.Cm no .
649	.It Cm GSSAPIStrictAcceptorCheck	654	.It Cm GSSAPIStrictAcceptorCheck
650	Determines whether to be strict about the identity of the GSSAPI acceptor	655	Determines whether to be strict about the identity of the GSSAPI acceptor
651	a client authenticates against.	656	a client authenticates against.
@@ -660,6 +665,31 @@ machine's default store.
660	This facility is provided to assist with operation on multi homed machines.	665	This facility is provided to assist with operation on multi homed machines.
661	The default is	666	The default is
662	.Cm yes .	667	.Cm yes .
		668	.It Cm GSSAPIStoreCredentialsOnRekey
		669	Controls whether the user's GSSAPI credentials should be updated following a
		670	successful connection rekeying. This option can be used to accepted renewed
		671	or updated credentials from a compatible client. The default is
		672	.Dq no .
		673	.Pp
		674	For this to work
		675	.Cm GSSAPIKeyExchange
		676	needs to be enabled in the server and also used by the client.
		677	.It Cm GSSAPIKexAlgorithms
		678	The list of key exchange algorithms that are accepted by GSSAPI
		679	key exchange. Possible values are
		680	.Bd -literal -offset 3n
		681	gss-gex-sha1-,
		682	gss-group1-sha1-,
		683	gss-group14-sha1-,
		684	gss-group14-sha256-,
		685	gss-group16-sha512-,
		686	gss-nistp256-sha256-,
		687	gss-curve25519-sha256-
		688	.Ed
		689	.Pp
		690	The default is
		691	.Dq gss-gex-sha1-,gss-group14-sha1- .
		692	This option only applies to protocol version 2 connections using GSSAPI.
663	.It Cm HostbasedAcceptedKeyTypes	693	.It Cm HostbasedAcceptedKeyTypes
664	Specifies the key types that will be accepted for hostbased authentication	694	Specifies the key types that will be accepted for hostbased authentication
665	as a list of comma-separated patterns.	695	as a list of comma-separated patterns.