===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshd_config.5,v
retrieving revision 1.312
retrieving revision 1.313
diff -u -r1.312 -r1.313
--- src/usr.bin/ssh/sshd_config.5	2020/05/29 05:37:03	1.312
+++ src/usr.bin/ssh/sshd_config.5	2020/08/27 01:07:10	1.313
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.312 2020/05/29 05:37:03 djm Exp $
-.Dd $Mdocdate: May 29 2020 $
+.\" $OpenBSD: sshd_config.5,v 1.313 2020/08/27 01:07:10 djm Exp $
+.Dd $Mdocdate: August 27 2020 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1478,11 +1478,12 @@
 .Qq ssh -Q PubkeyAcceptedKeyTypes .
 .It Cm PubkeyAuthOptions
 Sets one or more public key authentication options.
-Two option keywords are currently supported:
+The supported keywords are:
 .Cm none
-(the default; indicating no additional options are enabled)
+(the default; indicating no additional options are enabled),
+.Cm touch-required
 and
-.Cm touch-required .
+.Cm verify-required .
 .Pp
 The
 .Cm touch-required
@@ -1499,7 +1500,17 @@
 The
 .Cm touch-required
 flag disables this override.
-This option has no effect for other, non-authenticator public key types.
+.Pp
+The
+.Cm verify-required
+option requires a FIDO key signature attest that verified the user, e.g.
+via a PIN.
+.Pp
+Neither the
+.Cm touch-required
+or
+.Cm verify-required
+options have any effect for other, non-FIDO public key types.
 .It Cm PubkeyAuthentication
 Specifies whether public key authentication is allowed.
 The default is