diff --git a/doc/man-plink.but b/doc/man-plink.but
index 33386227..89dadb09 100644
--- a/doc/man-plink.but
+++ b/doc/man-plink.but
@@ -203,6 +203,15 @@ which of the agent's keys to use. }
 \dd Allow use of an authentication agent. (This option is only necessary
 to override a setting in a saved session.)
 
+\dt \cw{\-no\-trivial\-auth}
+
+\dd Disconnect from any SSH server which accepts authentication without
+ever having asked for any kind of password or signature or token. (You
+might want to enable this for a server you always expect to challenge
+you, for instance to ensure ensure you don't accidentally type your key
+file's passphrase into a compromised server spoofing Plink's passphrase
+prompt.)
+
 \dt \cw{\-noshare}
 
 \dd Don't test and try to share an existing connection, always make
diff --git a/doc/man-pscp.but b/doc/man-pscp.but
index b62e8cc2..8011483d 100644
--- a/doc/man-pscp.but
+++ b/doc/man-pscp.but
@@ -155,6 +155,15 @@ which of the agent's keys to use. }
 \dd Allow use of an authentication agent. (This option is only necessary
 to override a setting in a saved session.)
 
+\dt \cw{\-no\-trivial\-auth}
+
+\dd Disconnect from any SSH server which accepts authentication without
+ever having asked for any kind of password or signature or token. (You
+might want to enable this for a server you always expect to challenge
+you, for instance to ensure ensure you don't accidentally type your key
+file's passphrase into a compromised server spoofing PSCP's passphrase
+prompt.)
+
 \dt \cw{\-hostkey} \e{key}
 
 \dd Specify an acceptable host public key. This option may be specified
diff --git a/doc/man-psftp.but b/doc/man-psftp.but
index 19f820e3..0c47aa0e 100644
--- a/doc/man-psftp.but
+++ b/doc/man-psftp.but
@@ -143,6 +143,15 @@ which of the agent's keys to use. }
 \dd Allow use of an authentication agent. (This option is only necessary
 to override a setting in a saved session.)
 
+\dt \cw{\-no\-trivial\-auth}
+
+\dd Disconnect from any SSH server which accepts authentication without
+ever having asked for any kind of password or signature or token. (You
+might want to enable this for a server you always expect to challenge
+you, for instance to ensure ensure you don't accidentally type your key
+file's passphrase into a compromised server spoofing PSFTP's passphrase
+prompt.)
+
 \dt \cw{\-hostkey} \e{key}
 
 \dd Specify an acceptable host public key. This option may be specified
diff --git a/doc/man-putty.but b/doc/man-putty.but
index a1656d6c..3214a180 100644
--- a/doc/man-putty.but
+++ b/doc/man-putty.but
@@ -287,6 +287,15 @@ which of the agent's keys to use. }
 \dd Allow use of an authentication agent. (This option is only necessary
 to override a setting in a saved session.)
 
+\dt \cw{\-no\-trivial\-auth}
+
+\dd Disconnect from any SSH server which accepts authentication without
+ever having asked for any kind of password or signature or token. (You
+might want to enable this for a server you always expect to challenge
+you, for instance to ensure ensure you don't accidentally type your key
+file's passphrase into a compromised server spoofing PuTTY's passphrase
+prompt.)
+
 \dt \cw{\-hostkey} \e{key}
 
 \dd Specify an acceptable host public key. This option may be specified
diff --git a/doc/plink.but b/doc/plink.but
index fcfb5f68..361b59c2 100644
--- a/doc/plink.but
+++ b/doc/plink.but
@@ -77,6 +77,8 @@ use Plink:
 \c   -i key    private key file for user authentication
 \c   -noagent  disable use of Pageant
 \c   -agent    enable use of Pageant
+\c   -no-trivial-auth
+\c             disconnect if SSH authentication succeeds trivially
 \c   -noshare  disable use of connection sharing
 \c   -share    enable use of connection sharing
 \c   -hostkey keyid
diff --git a/doc/pscp.but b/doc/pscp.but
index 9d8daccd..2ee35ced 100644
--- a/doc/pscp.but
+++ b/doc/pscp.but
@@ -62,6 +62,8 @@ use PSCP:
 \c   -i key    private key file for user authentication
 \c   -noagent  disable use of Pageant
 \c   -agent    enable use of Pageant
+\c   -no-trivial-auth
+\c             disconnect if SSH authentication succeeds trivially
 \c   -hostkey keyid
 \c             manually specify a host key (may be repeated)
 \c   -batch    disable all interactive prompts
diff --git a/doc/using.but b/doc/using.but
index b583dc8c..02a67808 100644
--- a/doc/using.but
+++ b/doc/using.but
@@ -1014,6 +1014,15 @@ This option is equivalent to the \q{Private key file for
 authentication} box in the Auth panel of the PuTTY configuration box
 (see \k{config-ssh-privkey}).
 
+\S2{using-cmdline-no-trivial-auth} \i\c{-no-trivial-auth}: disconnect
+if SSH authentication succeeds trivially
+
+This option causes PuTTY to abandon an SSH session if the server
+accepts authentication without ever having asked for any kind of
+password or signature or token.
+
+See \k{config-ssh-notrivialauth} for why you might want this.
+
 \S2{using-cmdline-loghost} \i\c{-loghost}: specify a \i{logical host
 name}