vishalmishra434 / rpms / openssh

Forked from rpms/openssh a month ago
Clone
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/ssh_config.5.gss-docs openssh-7.4p1/ssh_config.5
Jakub Jelen 6cf9b8
--- openssh-7.4p1/ssh_config.5.gss-docs	2016-12-23 14:28:34.051714486 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/ssh_config.5	2016-12-23 14:34:24.568522417 +0100
Jakub Jelen 6cf9b8
@@ -765,10 +765,19 @@ The default is
Jakub Jelen d9d957
 If set to 
Jakub Jelen d9d957
 .Dq yes
Jakub Jelen d9d957
 then renewal of the client's GSSAPI credentials will force the rekeying of the
Jakub Jelen d9d957
-ssh connection. With a compatible server, this can delegate the renewed 
Jakub Jelen d9d957
+ssh connection. With a compatible server, this will delegate the renewed 
Jakub Jelen d9d957
 credentials to a session on the server.
Jakub Jelen d9d957
+.Pp
Jakub Jelen d9d957
+Checks are made to ensure that credentials are only propagated when the new
Jakub Jelen d9d957
+credentials match the old ones on the originating client and where the
Jakub Jelen d9d957
+receiving server still has the old set in its cache.
Jakub Jelen d9d957
+.Pp
Jakub Jelen d9d957
 The default is
Jakub Jelen d9d957
 .Dq no .
Jakub Jelen d9d957
+.Pp
Jakub Jelen d9d957
+For this to work
Jakub Jelen d9d957
+.Cm GSSAPIKeyExchange
Jakub Jelen d9d957
+needs to be enabled in the server and also used by the client.
Jakub Jelen 6cf9b8
 .It Cm GSSAPIServerIdentity
Jakub Jelen 6cf9b8
 If set, specifies the GSSAPI server identity that ssh should expect when 
Jakub Jelen 6cf9b8
 connecting to the server. The default is unset, which means that the
Jakub Jelen 6cf9b8
@@ -776,9 +785,11 @@ expected GSSAPI server identity will be
Jakub Jelen 6cf9b8
 hostname.
Jakub Jelen d9d957
 .It Cm GSSAPITrustDns
Jakub Jelen d9d957
 Set to 
Jakub Jelen d9d957
-.Dq yes to indicate that the DNS is trusted to securely canonicalize
Jakub Jelen d9d957
+.Dq yes
Jakub Jelen d9d957
+to indicate that the DNS is trusted to securely canonicalize
Jakub Jelen d9d957
 the name of the host being connected to. If 
Jakub Jelen d9d957
-.Dq no, the hostname entered on the
Jakub Jelen d9d957
+.Dq no ,
Jakub Jelen d9d957
+the hostname entered on the
Jakub Jelen d9d957
 command line will be passed untouched to the GSSAPI library.
Jakub Jelen d9d957
 The default is
Jakub Jelen d9d957
 .Dq no .
Jakub Jelen 6cf9b8
diff -up openssh-7.4p1/sshd_config.5.gss-docs openssh-7.4p1/sshd_config.5
Jakub Jelen 6cf9b8
--- openssh-7.4p1/sshd_config.5.gss-docs	2016-12-23 14:28:34.043714490 +0100
Jakub Jelen 6cf9b8
+++ openssh-7.4p1/sshd_config.5	2016-12-23 14:28:34.051714486 +0100
Jakub Jelen 6cf9b8
@@ -652,6 +652,10 @@ Controls whether the user's GSSAPI crede
Jakub Jelen d9d957
 successful connection rekeying. This option can be used to accepted renewed 
Jakub Jelen d9d957
 or updated credentials from a compatible client. The default is
Jakub Jelen d9d957
 .Dq no .
Jakub Jelen d9d957
+.Pp
Jakub Jelen d9d957
+For this to work
Jakub Jelen d9d957
+.Cm GSSAPIKeyExchange
Jakub Jelen d9d957
+needs to be enabled in the server and also used by the client.
Jakub Jelen d9d957
 .It Cm HostbasedAcceptedKeyTypes
Jakub Jelen d9d957
 Specifies the key types that will be accepted for hostbased authentication
Jakub Jelen bbf61d
 as a list of comma-separated patterns.