1 files changed, 23 insertions, 0 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 7255b1c22..e58b7cfc7 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -374,12 +374,35 @@ Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange 
+doesn't rely on ssh keys to verify host identity.
+The default is
+.Dq no .
+Note that this option applies to protocol version 2 only.
 .It Cm GSSAPICleanupCredentials
 Specifies whether to automatically destroy the user's credentials cache
 on logout.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIStrictAcceptorCheck
+Determines whether to be strict about the identity of the GSSAPI acceptor 
+a client authenticates against. If
+.Dq yes
+then the client must authenticate against the
+.Pa host
+service on the current hostname. If 
+.Dq no
+then the client may authenticate against any service key stored in the 
+machine's default store. This facility is provided to assist with operation 
+on multi homed machines. 
+The default is
+.Dq yes .
+Note that this option applies only to protocol version 2 GSSAPI connections,
+and setting it to 
+.Dq no
+may only work with recent Kerberos GSSAPI libraries.
 .It Cm HostbasedAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful public key client host authentication is allowed

diff --git a/sshd_config.5 b/sshd_config.5 index 7255b1c22..e58b7cfc7 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -374,12 +374,35 @@ Specifies whether user authentication based on GSSAPI is allowed.
374	The default is	374	The default is
375	.Dq no .	375	.Dq no .
376	Note that this option applies to protocol version 2 only.	376	Note that this option applies to protocol version 2 only.
		377	.It Cm GSSAPIKeyExchange
		378	Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
		379	doesn't rely on ssh keys to verify host identity.
		380	The default is
		381	.Dq no .
		382	Note that this option applies to protocol version 2 only.
377	.It Cm GSSAPICleanupCredentials	383	.It Cm GSSAPICleanupCredentials
378	Specifies whether to automatically destroy the user's credentials cache	384	Specifies whether to automatically destroy the user's credentials cache
379	on logout.	385	on logout.
380	The default is	386	The default is
381	.Dq yes .	387	.Dq yes .
382	Note that this option applies to protocol version 2 only.	388	Note that this option applies to protocol version 2 only.
		389	.It Cm GSSAPIStrictAcceptorCheck
		390	Determines whether to be strict about the identity of the GSSAPI acceptor
		391	a client authenticates against. If
		392	.Dq yes
		393	then the client must authenticate against the
		394	.Pa host
		395	service on the current hostname. If
		396	.Dq no
		397	then the client may authenticate against any service key stored in the
		398	machine's default store. This facility is provided to assist with operation
		399	on multi homed machines.
		400	The default is
		401	.Dq yes .
		402	Note that this option applies only to protocol version 2 GSSAPI connections,
		403	and setting it to
		404	.Dq no
		405	may only work with recent Kerberos GSSAPI libraries.
383	.It Cm HostbasedAuthentication	406	.It Cm HostbasedAuthentication
384	Specifies whether rhosts or /etc/hosts.equiv authentication together	407	Specifies whether rhosts or /etc/hosts.equiv authentication together
385	with successful public key client host authentication is allowed	408	with successful public key client host authentication is allowed