upstream: clarify conditions for UpdateHostkeys

OpenBSD-Commit-ID: 9cba714cf6aeed769f998ccbe8c483077a618e27
2024-11-27 05:46:36 +08:00 · 2020-10-08 00:31:05 +00:00 · 2020-10-08 00:31:05 +00:00 · 3205eaa3f8
commit 3205eaa3f8
parent e8dfca9bfe
1 changed files with 9 additions and 3 deletions
--- a/ssh_config.5
+++ b/ssh_config.5
@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.335 2020/10/07 02:18:45 djm Exp $
-.Dd $Mdocdate: October 7 2020 $
+.\" $OpenBSD: ssh_config.5,v 1.336 2020/10/08 00:31:05 djm Exp $
+.Dd $Mdocdate: October 8 2020 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@ -1717,8 +1717,14 @@ or
 This option allows learning alternate hostkeys for a server
 and supports graceful key rotation by allowing a server to send replacement
 public keys before old ones are removed.
+.Pp
 Additional hostkeys are only accepted if the key used to authenticate the
-host was already trusted or explicitly accepted by the user.
+host was already trusted or explicitly accepted by the user, the host was
+authenticated via
+.Cm UserKnownHostsFile
+(i.e. not
+.Cm GlobalKnownHostsFile )
+and the host was authenticated using a plain key and not a certificate.
 .Pp
 .Cm UpdateHostKeys
 is enabled by default if the user has not overridden the default