bmh10 / rpms / openssh

Forked from rpms/openssh 2 days ago
Clone

Blame SOURCES/openssh-7.1p1-gssapi-documentation.patch

f5835d
diff -up openssh-7.4p1/ssh_config.5.gss-docs openssh-7.4p1/ssh_config.5
f5835d
--- openssh-7.4p1/ssh_config.5.gss-docs	2016-12-23 14:28:34.051714486 +0100
f5835d
+++ openssh-7.4p1/ssh_config.5	2016-12-23 14:34:24.568522417 +0100
f5835d
@@ -765,10 +765,19 @@ The default is
f5835d
 If set to 
f5835d
 .Dq yes
f5835d
 then renewal of the client's GSSAPI credentials will force the rekeying of the
f5835d
-ssh connection. With a compatible server, this can delegate the renewed 
f5835d
+ssh connection. With a compatible server, this will delegate the renewed 
f5835d
 credentials to a session on the server.
f5835d
+.Pp
f5835d
+Checks are made to ensure that credentials are only propagated when the new
f5835d
+credentials match the old ones on the originating client and where the
f5835d
+receiving server still has the old set in its cache.
f5835d
+.Pp
f5835d
 The default is
f5835d
 .Dq no .
f5835d
+.Pp
f5835d
+For this to work
f5835d
+.Cm GSSAPIKeyExchange
f5835d
+needs to be enabled in the server and also used by the client.
f5835d
 .It Cm GSSAPIServerIdentity
f5835d
 If set, specifies the GSSAPI server identity that ssh should expect when 
f5835d
 connecting to the server. The default is unset, which means that the
f5835d
@@ -776,9 +785,11 @@ expected GSSAPI server identity will be
f5835d
 hostname.
f5835d
 .It Cm GSSAPITrustDns
f5835d
 Set to 
f5835d
-.Dq yes to indicate that the DNS is trusted to securely canonicalize
f5835d
+.Dq yes
f5835d
+to indicate that the DNS is trusted to securely canonicalize
f5835d
 the name of the host being connected to. If 
f5835d
-.Dq no, the hostname entered on the
f5835d
+.Dq no ,
f5835d
+the hostname entered on the
f5835d
 command line will be passed untouched to the GSSAPI library.
f5835d
 The default is
f5835d
 .Dq no .
f5835d
diff -up openssh-7.4p1/sshd_config.5.gss-docs openssh-7.4p1/sshd_config.5
f5835d
--- openssh-7.4p1/sshd_config.5.gss-docs	2016-12-23 14:28:34.043714490 +0100
f5835d
+++ openssh-7.4p1/sshd_config.5	2016-12-23 14:28:34.051714486 +0100
f5835d
@@ -652,6 +652,10 @@ Controls whether the user's GSSAPI crede
f5835d
 successful connection rekeying. This option can be used to accepted renewed 
f5835d
 or updated credentials from a compatible client. The default is
f5835d
 .Dq no .
f5835d
+.Pp
f5835d
+For this to work
f5835d
+.Cm GSSAPIKeyExchange
f5835d
+needs to be enabled in the server and also used by the client.
f5835d
 .It Cm HostbasedAcceptedKeyTypes
f5835d
 Specifies the key types that will be accepted for hostbased authentication
f5835d
 as a list of comma-separated patterns.