upstream: clarify conditions for UpdateHostkeys

OpenBSD-Commit-ID: 9cba714cf6aeed769f998ccbe8c483077a618e27

1 files changed, 9 insertions, 3 deletions

diff --git a/ssh_config.5 b/ssh_config.5
index 2f1886a1..8e427765 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.335 2020/10/07 02:18:45 djm Exp $
-.Dd $Mdocdate: October 7 2020 $
+.\" $OpenBSD: ssh_config.5,v 1.336 2020/10/08 00:31:05 djm Exp $
+.Dd $Mdocdate: October 8 2020 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -1717,8 +1717,14 @@ or
 This option allows learning alternate hostkeys for a server
 and supports graceful key rotation by allowing a server to send replacement
 public keys before old ones are removed.
+.Pp
 Additional hostkeys are only accepted if the key used to authenticate the
-host was already trusted or explicitly accepted by the user.
+host was already trusted or explicitly accepted by the user, the host was
+authenticated via
+.Cm UserKnownHostsFile
+(i.e. not
+.Cm GlobalKnownHostsFile )
+and the host was authenticated using a plain key and not a certificate.
 .Pp
 .Cm UpdateHostKeys
 is enabled by default if the user has not overridden the default