1 files changed, 23 insertions, 0 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index af1221445..ce9888d03 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -318,12 +318,35 @@ Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange 
+doesn't rely on ssh keys to verify host identity.
+The default is
+.Dq no .
+Note that this option applies to protocol version 2 only.
 .It Cm GSSAPICleanupCredentials
 Specifies whether to automatically destroy the user's credentials cache
 on logout.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIStrictAcceptorCheck
+Determines whether to be strict about the identity of the GSSAPI acceptor 
+a client authenticates against. If
+.Dq yes
+then the client must authenticate against the
+.Pa host
+service on the current hostname. If 
+.Dq no
+then the client may authenticate against any service key stored in the 
+machine's default store. This facility is provided to assist with operation 
+on multi homed machines. 
+The default is
+.Dq yes .
+Note that this option applies only to protocol version 2 GSSAPI connections,
+and setting it to 
+.Dq no
+may only work with recent Kerberos GSSAPI libraries.
 .It Cm HostbasedAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful public key client host authentication is allowed

diff --git a/sshd_config.5 b/sshd_config.5 index af1221445..ce9888d03 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -318,12 +318,35 @@ Specifies whether user authentication based on GSSAPI is allowed.
318	The default is	318	The default is
319	.Dq no .	319	.Dq no .
320	Note that this option applies to protocol version 2 only.	320	Note that this option applies to protocol version 2 only.
		321	.It Cm GSSAPIKeyExchange
		322	Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
		323	doesn't rely on ssh keys to verify host identity.
		324	The default is
		325	.Dq no .
		326	Note that this option applies to protocol version 2 only.
321	.It Cm GSSAPICleanupCredentials	327	.It Cm GSSAPICleanupCredentials
322	Specifies whether to automatically destroy the user's credentials cache	328	Specifies whether to automatically destroy the user's credentials cache
323	on logout.	329	on logout.
324	The default is	330	The default is
325	.Dq yes .	331	.Dq yes .
326	Note that this option applies to protocol version 2 only.	332	Note that this option applies to protocol version 2 only.
		333	.It Cm GSSAPIStrictAcceptorCheck
		334	Determines whether to be strict about the identity of the GSSAPI acceptor
		335	a client authenticates against. If
		336	.Dq yes
		337	then the client must authenticate against the
		338	.Pa host
		339	service on the current hostname. If
		340	.Dq no
		341	then the client may authenticate against any service key stored in the
		342	machine's default store. This facility is provided to assist with operation
		343	on multi homed machines.
		344	The default is
		345	.Dq yes .
		346	Note that this option applies only to protocol version 2 GSSAPI connections,
		347	and setting it to
		348	.Dq no
		349	may only work with recent Kerberos GSSAPI libraries.
327	.It Cm HostbasedAuthentication	350	.It Cm HostbasedAuthentication
328	Specifies whether rhosts or /etc/hosts.equiv authentication together	351	Specifies whether rhosts or /etc/hosts.equiv authentication together
329	with successful public key client host authentication is allowed	352	with successful public key client host authentication is allowed