X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/76d45d2f37f58d1a9703830d75ce8b56feae38c6..c7931c9aedd8e12fdd0df715dcefce0e0c95be6a:/openssh/sshd_config.5

diff --git a/openssh/sshd_config.5 b/openssh/sshd_config.5
index a3357d4..0602495 100644
--- a/openssh/sshd_config.5
+++ b/openssh/sshd_config.5
@@ -372,13 +372,17 @@ The default is
 .It Cm GSSAPIAuthentication
 Specifies whether user authentication based on GSSAPI is allowed.
 The default is
-.Dq no .
+.Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIDelegateCredentials
+Specifies whether delegated credentials are stored in the user's environment.
+The default is
+.Dq yes .
 .It Cm GSSAPIKeyExchange
-Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange 
 doesn't rely on ssh keys to verify host identity.
 The default is
-.Dq no .
+.Dq yes .
 Note that this option applies to protocol version 2 only.
 .It Cm GSSAPICleanupCredentials
 Specifies whether to automatically destroy the user's credentials cache
@@ -386,6 +390,22 @@ on logout.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm GSSAPICredentialsPath
+If specified, the delegated GSSAPI credential is stored in the
+given path, overwriting any existing credentials.  
+Paths can be specified with syntax similar to the AuthorizedKeysFile 
+option (i.e., accepting %h and %u tokens).  
+When using this option,
+setting 'GssapiCleanupCredentials no' is recommended,
+so logging out of one session
+doesn't remove the credentials in use by another session of
+the same user.
+Currently only implemented for the GSI mechanism.
+.It Cm GSIAllowLimitedProxy
+Specifies whether to accept limited proxy credentials for
+authentication.
+The default is
+.Dq no .
 .It Cm GSSAPIStrictAcceptorCheck
 Determines whether to be strict about the identity of the GSSAPI acceptor 
 a client authenticates against. If
@@ -951,6 +971,12 @@ is enabled, you will not be able to run
 as a non-root user.
 The default is
 .Dq no .
+.It Cm PermitPAMUserChange
+If set to
+.Dq yes
+this will enable PAM authentication to change the name of the user being
+authenticated.  The default is
+.Dq no .
 .It Cm UsePrivilegeSeparation
 Specifies whether
 .Xr sshd 8