diff -up openssh-7.4p1/ssh_config.5.gss-docs openssh-7.4p1/ssh_config.5
--- openssh-7.4p1/ssh_config.5.gss-docs	2016-12-23 14:28:34.051714486 +0100
+++ openssh-7.4p1/ssh_config.5	2016-12-23 14:34:24.568522417 +0100
@@ -765,10 +765,19 @@ The default is
 If set to 
 .Dq yes
 then renewal of the client's GSSAPI credentials will force the rekeying of the
-ssh connection. With a compatible server, this can delegate the renewed 
+ssh connection. With a compatible server, this will delegate the renewed 
 credentials to a session on the server.
+.Pp
+Checks are made to ensure that credentials are only propagated when the new
+credentials match the old ones on the originating client and where the
+receiving server still has the old set in its cache.
+.Pp
 The default is
 .Dq no .
+.Pp
+For this to work
+.Cm GSSAPIKeyExchange
+needs to be enabled in the server and also used by the client.
 .It Cm GSSAPIServerIdentity
 If set, specifies the GSSAPI server identity that ssh should expect when 
 connecting to the server. The default is unset, which means that the
@@ -776,9 +785,11 @@ expected GSSAPI server identity will be
 hostname.
 .It Cm GSSAPITrustDns
 Set to 
-.Dq yes to indicate that the DNS is trusted to securely canonicalize
+.Dq yes
+to indicate that the DNS is trusted to securely canonicalize
 the name of the host being connected to. If 
-.Dq no, the hostname entered on the
+.Dq no ,
+the hostname entered on the
 command line will be passed untouched to the GSSAPI library.
 The default is
 .Dq no .
diff -up openssh-7.4p1/sshd_config.5.gss-docs openssh-7.4p1/sshd_config.5
--- openssh-7.4p1/sshd_config.5.gss-docs	2016-12-23 14:28:34.043714490 +0100
+++ openssh-7.4p1/sshd_config.5	2016-12-23 14:28:34.051714486 +0100
@@ -652,6 +652,10 @@ Controls whether the user's GSSAPI crede
 successful connection rekeying. This option can be used to accepted renewed 
 or updated credentials from a compatible client. The default is
 .Dq no .
+.Pp
+For this to work
+.Cm GSSAPIKeyExchange
+needs to be enabled in the server and also used by the client.
 .It Cm HostbasedAcceptedKeyTypes
 Specifies the key types that will be accepted for hostbased authentication
 as a list of comma-separated patterns.