SSHClient: fix the host key test (2.2) #1059
Skip the host key check only, if the transport actually used gssapi-keyex. Add tests for the missing-host-key RejectPolicy. Before this change, a man-in-the-middle attack on the paramiko ssh client with gss_kex=True was possible by having a server that does not support gssapi-keyex and gives any or no host key.
Set the flag gss_kex_used only after a gssapi-keyex has been successfully completed. This change prevents a wrong value in case of exceptions during the gssapi-keyex handshake.
We did have a lot of changes across 2.0->2.2 and yea there were merge conflicts. When I used these PRs and then merged-up from the previous branches, the conflicts were gone (besides my own introduced in the changelog.) Thanks!
I grabbed the pre-2.0 ones too since it wasn't that much more work, though I'm still increasingly less likely to bother with those going forwards :(