diff --git a/crypto/dist/ssh/ssh.1 b/crypto/dist/ssh/ssh.1
index ac0c7f18e7b0..a49b710d15a1 100644
--- a/crypto/dist/ssh/ssh.1
+++ b/crypto/dist/ssh/ssh.1
@@ -1,4 +1,4 @@
-.\"	$NetBSD: ssh.1,v 1.31 2005/04/23 16:53:29 christos Exp $
+.\"	$NetBSD: ssh.1,v 1.32 2005/09/18 16:22:35 christos Exp $
 .\"  -*- nroff -*-
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -36,7 +36,7 @@
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\" $OpenBSD: ssh.1,v 1.205 2005/03/07 23:41:54 jmc Exp $
-.Dd September 25, 1999
+.Dd September 18, 2005
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -48,7 +48,12 @@
 .Op Fl 1246AaCfgkMNnqsTtVvXxY
 .Op Fl b Ar bind_address
 .Op Fl c Ar cipher_spec
-.Op Fl D Ar port
+.Oo Fl D\ \&
+.Sm off
+.Oo Ar bind_address : Oc
+.Ar port
+.Sm on
+.Oc
 .Op Fl e Ar escape_char
 .Op Fl F Ar configfile
 .Op Fl i Ar identity_file
@@ -489,7 +494,12 @@ The default is
   ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
     aes192-cbc,aes256-cbc''
 .Ed
-.It Fl D Ar port
+.It Fl D Xo
+.Sm off
+.Oo Ar bind_address : Oc
+.Ar port
+.Sm on
+.Xc
 Specifies a local
 .Dq dynamic
 application-level port forwarding.
@@ -504,6 +514,10 @@ Currently the SOCKS4 and SOCKS5 protocols are supported, and
 will act as a SOCKS server.
 Only root can forward privileged ports.
 Dynamic port forwardings can also be specified in the configuration file.
+If 
+.Ar bind_address
+is not specified, then the socket will listen to all interfaces, which
+can have unexpected security implications.
 .It Fl e Ar ch | ^ch | none
 Sets the escape character for sessions with a pty (default:
 .Ql ~ ) .