d9d9575f00
from Debian patches: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765655
48 lines
1.9 KiB
Diff
48 lines
1.9 KiB
Diff
diff -up openssh-7.1p1/ssh_config.5.gss-docs openssh-7.1p1/ssh_config.5
|
|
--- openssh-7.1p1/ssh_config.5.gss-docs 2015-12-10 15:28:47.451966457 +0100
|
|
+++ openssh-7.1p1/ssh_config.5 2015-12-10 15:30:28.070738047 +0100
|
|
@@ -773,15 +773,26 @@ Note that this option applies to protoco
|
|
If set to
|
|
.Dq yes
|
|
then renewal of the client's GSSAPI credentials will force the rekeying of the
|
|
-ssh connection. With a compatible server, this can delegate the renewed
|
|
+ssh connection. With a compatible server, this will delegate the renewed
|
|
credentials to a session on the server.
|
|
+.Pp
|
|
+Checks are made to ensure that credentials are only propagated when the new
|
|
+credentials match the old ones on the originating client and where the
|
|
+receiving server still has the old set in its cache.
|
|
+.Pp
|
|
The default is
|
|
.Dq no .
|
|
+.Pp
|
|
+For this to work
|
|
+.Cm GSSAPIKeyExchange
|
|
+needs to be enabled in the server and also used by the client.
|
|
.It Cm GSSAPITrustDns
|
|
Set to
|
|
-.Dq yes to indicate that the DNS is trusted to securely canonicalize
|
|
+.Dq yes
|
|
+to indicate that the DNS is trusted to securely canonicalize
|
|
the name of the host being connected to. If
|
|
-.Dq no, the hostname entered on the
|
|
+.Dq no ,
|
|
+the hostname entered on the
|
|
command line will be passed untouched to the GSSAPI library.
|
|
The default is
|
|
.Dq no .
|
|
diff -up openssh-7.1p1/sshd_config.5.gss-docs openssh-7.1p1/sshd_config.5
|
|
--- openssh-7.1p1/sshd_config.5.gss-docs 2015-12-10 15:28:47.453966452 +0100
|
|
+++ openssh-7.1p1/sshd_config.5 2015-12-10 15:28:47.461966434 +0100
|
|
@@ -653,6 +653,10 @@ Controls whether the user's GSSAPI crede
|
|
successful connection rekeying. This option can be used to accepted renewed
|
|
or updated credentials from a compatible client. The default is
|
|
.Dq no .
|
|
+.Pp
|
|
+For this to work
|
|
+.Cm GSSAPIKeyExchange
|
|
+needs to be enabled in the server and also used by the client.
|
|
.It Cm HostbasedAcceptedKeyTypes
|
|
Specifies the key types that will be accepted for hostbased authentication
|
|
as a comma-separated pattern list.
|