diff options
| -rw-r--r-- | usr.bin/ssh/ssh_config.5 | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/usr.bin/ssh/ssh_config.5 b/usr.bin/ssh/ssh_config.5 index d1c2935d88f..11babb42455 100644 --- a/usr.bin/ssh/ssh_config.5 +++ b/usr.bin/ssh/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.335 2020/10/07 02:18:45 djm Exp $ -.Dd $Mdocdate: October 7 2020 $ +.\" $OpenBSD: ssh_config.5,v 1.336 2020/10/08 00:31:05 djm Exp $ +.Dd $Mdocdate: October 8 2020 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -1718,8 +1718,14 @@ or This option allows learning alternate hostkeys for a server and supports graceful key rotation by allowing a server to send replacement public keys before old ones are removed. +.Pp Additional hostkeys are only accepted if the key used to authenticate the -host was already trusted or explicitly accepted by the user. +host was already trusted or explicitly accepted by the user, the host was +authenticated via +.Cm UserKnownHostsFile +(i.e. not +.Cm GlobalKnownHostsFile ) +and the host was authenticated using a plain key and not a certificate. .Pp .Cm UpdateHostKeys is enabled by default if the user has not overridden the default |