===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-agent.1,v
retrieving revision 1.75
retrieving revision 1.76
diff -u -r1.75 -r1.76
--- src/usr.bin/ssh/ssh-agent.1	2022/10/07 06:00:58	1.75
+++ src/usr.bin/ssh/ssh-agent.1	2023/07/19 13:56:33	1.76
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.75 2022/10/07 06:00:58 jmc Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.76 2023/07/19 13:56:33 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 7 2022 $
+.Dd $Mdocdate: July 19 2023 $
 .Dt SSH-AGENT 1
 .Os
 .Sh NAME
@@ -107,9 +107,27 @@
 .It Fl O Ar option
 Specify an option when starting
 .Nm .
-Currently only one option is supported:
+Currently two options are supported:
+.Cm allow-remote-pkcs11
+and
 .Cm no-restrict-websafe .
-This instructs
+.Pp
+The
+.Cm allow-remote-pkcs11
+option allows clients of a forwarded
+.Nm
+to load PKCS#11 or FIDO provider libraries.
+By default only local clients may perform this operation.
+Note that signalling that a
+.Nm
+client remote is performed by
+.Xr ssh 1 ,
+and use of other tools to forward access to the agent socket may circumvent
+this restriction.
+.Pp
+The
+.Cm no-restrict-websafe ,
+instructs
 .Nm
 to permit signatures using FIDO keys that might be web authentication
 requests.