===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshd_config.5,v
retrieving revision 1.231
retrieving revision 1.232
diff -u -r1.231 -r1.232
--- src/usr.bin/ssh/sshd_config.5	2016/09/07 18:39:24	1.231
+++ src/usr.bin/ssh/sshd_config.5	2016/09/14 05:42:25	1.232
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.231 2016/09/07 18:39:24 jmc Exp $
-.Dd $Mdocdate: September 7 2016 $
+.\" $OpenBSD: sshd_config.5,v 1.232 2016/09/14 05:42:25 djm Exp $
+.Dd $Mdocdate: September 14 2016 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -304,9 +304,18 @@
 Arguments to
 .Cm AuthorizedPrincipalsCommand
 may be provided using the following tokens, which will be expanded
-at runtime: %% is replaced by a literal '%', %u is replaced by the
-username being authenticated and %h is replaced by the home directory
-of the user being authenticated.
+at runtime:
+%% is replaced by a literal '%',
+%u is replaced by the username being authenticated,
+%h is replaced by the home directory of the user being authenticated,
+%t is replaced with type of the certificate being offered,
+%T with the type of the CA key,
+%f is replaced with certificate fingerprint,
+%F with the fingerprint of the CA key,
+%k is replaced with the full base-64 encoded certificate and
+%K is replaced with the base-64 encoded CA key.
+If no arguments are specified then the username of the target user
+will be supplied.
 .Pp
 The program should produce on standard output zero or
 more lines of