===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshd.8,v
retrieving revision 1.255
retrieving revision 1.256
diff -u -r1.255 -r1.256
--- src/usr.bin/ssh/sshd.8	2010/03/05 06:50:35	1.255
+++ src/usr.bin/ssh/sshd.8	2010/05/07 11:30:30	1.256
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.255 2010/03/05 06:50:35 jmc Exp $
-.Dd $Mdocdate: March 5 2010 $
+.\" $OpenBSD: sshd.8,v 1.256 2010/05/07 11:30:30 djm Exp $
+.Dd $Mdocdate: May 7 2010 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -575,6 +575,17 @@
 options may be applied separated by commas.
 No pattern matching is performed on the specified hostnames,
 they must be literal domains or addresses.
+.It Cm principals="principals"
+On a
+.Cm cert-authority
+line, specifies allowed principals for certificate authentication as a
+comma-separated list.
+At least one name from the list must appear in the certificate's
+list of principals for the certificate to be accepted.
+This option is ignored for keys that are not marked as trusted certificate
+signers using the
+.Cm cert-authority
+option.
 .It Cm tunnel="n"
 Force a
 .Xr tun 4