GSSAPI Key Exchange documentation improvements

from Debian patches:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765655

openssh-7.0p1-gssKexAlgorithms.patch

@@ -363,13 +363,12 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskexalg openssh-7.0p1/sshconnect2.c
  		if (gss) {
  			debug("Offering GSSAPI proposal: %s", gss);
  			xasprintf(&options.kex_algorithms,
-diff -up openssh-7.0p1/sshd_config.5.gsskexalg openssh-7.0p1/sshd_config.5
+--- openssh-7.1p1/sshd_config.5.gsskexalg	2015-12-10 15:32:48.105418092 +0100
---- openssh-7.0p1/sshd_config.5.gsskexalg	2015-08-19 12:28:38.082518830 +0200
++++ openssh-7.1p1/sshd_config.5	2015-12-10 15:33:47.771279548 +0100
-+++ openssh-7.0p1/sshd_config.5	2015-08-19 12:36:25.121471501 +0200
+@@ -663,6 +663,18 @@ or updated credentials from a compatible
-@@ -659,6 +659,18 @@ Controls whether the user's GSSAPI crede
+ For this to work
- successful connection rekeying. This option can be used to accepted renewed 
+ .Cm GSSAPIKeyExchange
- or updated credentials from a compatible client. The default is
+ needs to be enabled in the server and also used by the client.
- .Dq no .
 +.It Cm GSSAPIKexAlgorithms
 +The list of key exchange algorithms that are accepted by GSSAPI
 +key exchange. Possible values are

openssh-7.1p1-gssapi-documentation.patch

@@ -0,0 +1,47 @@
+diff -up openssh-7.1p1/ssh_config.5.gss-docs openssh-7.1p1/ssh_config.5
+--- openssh-7.1p1/ssh_config.5.gss-docs	2015-12-10 15:28:47.451966457 +0100
++++ openssh-7.1p1/ssh_config.5	2015-12-10 15:30:28.070738047 +0100
+@@ -773,15 +773,26 @@ Note that this option applies to protoco
+ If set to 
+ .Dq yes
+ then renewal of the client's GSSAPI credentials will force the rekeying of the
+-ssh connection. With a compatible server, this can delegate the renewed 
++ssh connection. With a compatible server, this will delegate the renewed 
+ credentials to a session on the server.
++.Pp
++Checks are made to ensure that credentials are only propagated when the new
++credentials match the old ones on the originating client and where the
++receiving server still has the old set in its cache.
++.Pp
+ The default is
+ .Dq no .
++.Pp
++For this to work
++.Cm GSSAPIKeyExchange
++needs to be enabled in the server and also used by the client.
+ .It Cm GSSAPITrustDns
+ Set to 
+-.Dq yes to indicate that the DNS is trusted to securely canonicalize
++.Dq yes
++to indicate that the DNS is trusted to securely canonicalize
+ the name of the host being connected to. If 
+-.Dq no, the hostname entered on the
++.Dq no ,
++the hostname entered on the
+ command line will be passed untouched to the GSSAPI library.
+ The default is
+ .Dq no .
+diff -up openssh-7.1p1/sshd_config.5.gss-docs openssh-7.1p1/sshd_config.5
+--- openssh-7.1p1/sshd_config.5.gss-docs	2015-12-10 15:28:47.453966452 +0100
++++ openssh-7.1p1/sshd_config.5	2015-12-10 15:28:47.461966434 +0100
+@@ -653,6 +653,10 @@ Controls whether the user's GSSAPI crede
+ successful connection rekeying. This option can be used to accepted renewed 
+ or updated credentials from a compatible client. The default is
+ .Dq no .
++.Pp
++For this to work
++.Cm GSSAPIKeyExchange
++needs to be enabled in the server and also used by the client.
+ .It Cm HostbasedAcceptedKeyTypes
+ Specifies the key types that will be accepted for hostbased authentication
+ as a comma-separated pattern list.

openssh.spec

@@ -176,6 +176,10 @@ Patch801: openssh-6.6p1-force_krb.patch
 # add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
 # CVE-2014-9278
 Patch802: openssh-6.6p1-GSSAPIEnablek5users.patch
+# Documentation about GSSAPI
+# from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765655
+Patch803: openssh-7.1p1-gssapi-documentation.patch
+
 Patch900: openssh-6.1p1-gssapi-canohost.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1780
 Patch901: openssh-6.6p1-kuserok.patch
@@ -443,6 +447,7 @@ popd
 # 
 %patch800 -p1 -b .gsskex
 %patch801 -p1 -b .force_krb
+%patch803 -p1 -b .gss-docs
 # 
 %patch900 -p1 -b .canohost
 %patch901 -p1 -b .kuserok