options->gss_authentication=-1;
options->gss_keyex = -1;
options->gss_cleanup_creds = -1;
+ options->gsi_allow_limited_proxy = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_keyex = 1;
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
+ if (options->gsi_allow_limited_proxy == -1)
+ options->gsi_allow_limited_proxy = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sGssAuthentication, sGssKeyEx, sGssCleanupCreds,
sAcceptEnv, sPermitTunnel,
+ sGsiAllowLimitedProxy,
sUsePrivilegeSeparation,
sDeprecated, sUnsupported
} ServerOpCodes;
{ "gssapiauthentication", sGssAuthentication },
{ "gssapikeyexchange", sGssKeyEx },
{ "gssapicleanupcredentials", sGssCleanupCreds },
+#ifdef GSI
+ { "gsiallowlimitedproxy", sGsiAllowLimitedProxy },
+#endif
#else
{ "gssapiauthentication", sUnsupported },
{ "gssapikeyexchange", sUnsupported },
intptr = &options->gss_cleanup_creds;
goto parse_flag;
+ case sGsiAllowLimitedProxy:
+ intptr = &options->gsi_allow_limited_proxy;
+ goto parse_flag;
+
#ifdef SESSION_HOOKS
case sAllowSessionHooks:
intptr = &options->session_hooks_allow;
int gss_authentication; /* If true, permit GSSAPI authentication */
int gss_keyex; /* If true, permit GSSAPI key exchange */
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
+ int gsi_allow_limited_proxy; /* If true, accept limited proxies */
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
+.It Cm GSIAllowLimitedProxy
+Specifies whether to accept limited proxy credentials for
+authentication.
+The default is
+.Dq no .
.It Cm HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed