diff -up openssh-7.1p1/ssh_config.5.gss-docs openssh-7.1p1/ssh_config.5

--- openssh-7.1p1/ssh_config.5.gss-docs	2015-12-10 15:28:47.451966457 +0100

+++ openssh-7.1p1/ssh_config.5	2015-12-10 15:30:28.070738047 +0100

@@ -773,15 +773,26 @@ Note that this option applies to protoco

 If set to 

 .Dq yes

 then renewal of the client's GSSAPI credentials will force the rekeying of the

-ssh connection. With a compatible server, this can delegate the renewed 

+ssh connection. With a compatible server, this will delegate the renewed 

 credentials to a session on the server.

+.Pp

+Checks are made to ensure that credentials are only propagated when the new

+credentials match the old ones on the originating client and where the

+receiving server still has the old set in its cache.

+.Pp

 The default is

 .Dq no .

+.Pp

+For this to work

+.Cm GSSAPIKeyExchange

+needs to be enabled in the server and also used by the client.

 .It Cm GSSAPITrustDns

 Set to 

-.Dq yes to indicate that the DNS is trusted to securely canonicalize

+.Dq yes

+to indicate that the DNS is trusted to securely canonicalize

 the name of the host being connected to. If 

-.Dq no, the hostname entered on the

+.Dq no ,

+the hostname entered on the

 command line will be passed untouched to the GSSAPI library.

 The default is

 .Dq no .

diff -up openssh-7.1p1/sshd_config.5.gss-docs openssh-7.1p1/sshd_config.5

--- openssh-7.1p1/sshd_config.5.gss-docs	2015-12-10 15:28:47.453966452 +0100

+++ openssh-7.1p1/sshd_config.5	2015-12-10 15:28:47.461966434 +0100

@@ -653,6 +653,10 @@ Controls whether the user's GSSAPI crede

 successful connection rekeying. This option can be used to accepted renewed 

 or updated credentials from a compatible client. The default is

 .Dq no .

+.Pp

+For this to work

+.Cm GSSAPIKeyExchange

+needs to be enabled in the server and also used by the client.

 .It Cm HostbasedAcceptedKeyTypes

 Specifies the key types that will be accepted for hostbased authentication

 as a comma-separated pattern list.