===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshd_config.5,v
retrieving revision 1.292
retrieving revision 1.293
diff -u -r1.292 -r1.293
--- src/usr.bin/ssh/sshd_config.5	2019/11/18 04:55:02	1.292
+++ src/usr.bin/ssh/sshd_config.5	2019/11/25 00:52:46	1.293
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.292 2019/11/18 04:55:02 djm Exp $
-.Dd $Mdocdate: November 18 2019 $
+.\" $OpenBSD: sshd_config.5,v 1.293 2019/11/25 00:52:46 djm Exp $
+.Dd $Mdocdate: November 25 2019 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1446,6 +1446,29 @@
 .Pp
 The list of available key types may also be obtained using
 .Qq ssh -Q key .
+.It Cm PubkeyAuthOptions
+Sets one or more public key authentication options.
+Two option keywords are currently supported:
+.Cm none (the default; indicating no additional options are enabled)
+and
+.Cm touch-required .
+.Pp
+The
+.Cm touch-required
+option causes public key authentication using a security key algorithm
+(i.e.
+.Cm ecdsa-sk
+or
+.Cm ed25519-sk )
+to always require the signature to attest that a physically present user
+explicitly confirmed the authentication (usually by touching the security key).
+By default,
+.Xr sshd 8
+requires key touch unless overridden with an authorized_keys option.
+The
+.Cm touch-required
+flag disables this override.
+This option has no effect for other, non-security key public key types.
 .It Cm PubkeyAuthentication
 Specifies whether public key authentication is allowed.
 The default is