http://bugs.gentoo.org/165444
https://bugzilla.mindrot.org/show_bug.cgi?id=1008

Index: readconf.c
===================================================================
RCS file: /cvs/openssh/readconf.c,v
retrieving revision 1.135
diff -u -r1.135 readconf.c
--- readconf.c	5 Aug 2006 02:39:40 -0000	1.135
+++ readconf.c	19 Aug 2006 11:59:52 -0000
@@ -126,6 +126,7 @@
 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+	oGssTrustDns, 
 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
 	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
 	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
@@ -163,9 +164,11 @@
 #if defined(GSSAPI)
 	{ "gssapiauthentication", oGssAuthentication },
 	{ "gssapidelegatecredentials", oGssDelegateCreds },
+	{ "gssapitrustdns", oGssTrustDns },
 #else
 	{ "gssapiauthentication", oUnsupported },
 	{ "gssapidelegatecredentials", oUnsupported },
+	{ "gssapitrustdns", oUnsupported },
 #endif
 	{ "fallbacktorsh", oDeprecated },
 	{ "usersh", oDeprecated },
@@ -444,6 +447,10 @@
 		intptr = &options->gss_deleg_creds;
 		goto parse_flag;
 
+	case oGssTrustDns:
+		intptr = &options->gss_trust_dns;
+		goto parse_flag;
+
 	case oBatchMode:
 		intptr = &options->batch_mode;
 		goto parse_flag;
@@ -1010,6 +1017,7 @@
 	options->challenge_response_authentication = -1;
 	options->gss_authentication = -1;
 	options->gss_deleg_creds = -1;
+	options->gss_trust_dns = -1;
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->kbd_interactive_devices = NULL;
@@ -1100,6 +1108,8 @@
 		options->gss_authentication = 0;
 	if (options->gss_deleg_creds == -1)
 		options->gss_deleg_creds = 0;
+	if (options->gss_trust_dns == -1)
+		options->gss_trust_dns = 0;
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
Index: readconf.h
===================================================================
RCS file: /cvs/openssh/readconf.h,v
retrieving revision 1.63
diff -u -r1.63 readconf.h
--- readconf.h	5 Aug 2006 02:39:40 -0000	1.63
+++ readconf.h	19 Aug 2006 11:59:52 -0000
@@ -45,6 +45,7 @@
 					/* Try S/Key or TIS, authentication. */
 	int     gss_authentication;	/* Try GSS authentication */
 	int     gss_deleg_creds;	/* Delegate GSS credentials */
+	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
 	int     password_authentication;	/* Try password
 						 * authentication. */
 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
Index: ssh_config.5
===================================================================
RCS file: /cvs/openssh/ssh_config.5,v
retrieving revision 1.97
diff -u -r1.97 ssh_config.5
--- ssh_config.5	5 Aug 2006 01:34:51 -0000	1.97
+++ ssh_config.5	19 Aug 2006 11:59:53 -0000
@@ -483,7 +483,16 @@
 Forward (delegate) credentials to the server.
 The default is
 .Dq no .
-Note that this option applies to protocol version 2 only.
+Note that this option applies to protocol version 2 connections using GSSAPI.
+.It Cm GSSAPITrustDns
+Set to 
+.Dq yes to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If 
+.Dq no, the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+This option only applies to protocol version 2 connections using GSSAPI.
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
Index: sshconnect2.c
===================================================================
RCS file: /cvs/openssh/sshconnect2.c,v
retrieving revision 1.151
diff -u -r1.151 sshconnect2.c
--- sshconnect2.c	18 Aug 2006 14:33:34 -0000	1.151
+++ sshconnect2.c	19 Aug 2006 11:59:53 -0000
@@ -499,6 +499,12 @@
 	static u_int mech = 0;
 	OM_uint32 min;
 	int ok = 0;
+	const char *gss_host;
+
+	if (options.gss_trust_dns)
+		gss_host = get_canonical_hostname(1);
+	else
+		gss_host = authctxt->host;
 
 	/* Try one GSSAPI method at a time, rather than sending them all at
 	 * once. */
@@ -511,7 +517,7 @@
 		/* My DER encoding requires length<128 */
 		if (gss_supported->elements[mech].length < 128 &&
 		    ssh_gssapi_check_mechanism(&gssctxt, 
-		    &gss_supported->elements[mech], authctxt->host)) {
+		    &gss_supported->elements[mech], gss_host)) {
 			ok = 1; /* Mechanism works */
 		} else {
 			mech++;