1--- sshd_config.5.orig	2026-04-25 16:05:26.905238000 -0700
2+++ sshd_config.5	2026-04-25 16:16:59.050604000 -0700
3@@ -789,7 +789,9 @@ This was formerly named HostbasedAcceptedKeyTypes.
4 .Qq ssh -Q HostbasedAcceptedAlgorithms .
5 This was formerly named HostbasedAcceptedKeyTypes.
6 .It Cm HostbasedAuthentication
7-Specifies whether rhosts or /etc/hosts.equiv authentication together
8+Specifies whether rhosts or
9+.Pa /etc/hosts.equiv
10+authentication together
11 with successful public key client host authentication is allowed
12 (host-based authentication).
13 The default is
14@@ -1489,7 +1491,7 @@ The default is
15 or
16 .Cm no .
17 The default is
18-.Cm prohibit-password .
19+.Cm no .
20 .Pp
21 If this option is set to
22 .Cm prohibit-password
23@@ -1535,6 +1537,15 @@ The default is
24 .Cm ethernet .
25 The default is
26 .Cm no .
27+Note that if
28+.Cm ChallengeResponseAuthentication
29+is
30+.Cm yes ,
31+the root user may be allowed in with its password even if
32+.Cm PermitRootLogin is set to
33+.Cm prohibit-password
34+or
35+.Cm without-password .
36 .Pp
37 Independent of this setting, the permissions of the selected
38 .Xr tun 4
39@@ -2062,12 +2073,19 @@ The default is
40 .Xr sshd 8
41 as a non-root user.
42 The default is
43+.Cm yes ,
44+unless
45+.Nm sshd
46+was built without PAM support, in which case the default is
47 .Cm no .
48 .It Cm VersionAddendum
49 Optionally specifies additional text to append to the SSH protocol banner
50 sent by the server upon connection.
51 The default is
52-.Cm none .
53+.Cm %%SSH_VERSION_FREEBSD_PORT%% .
54+The value
55+.Cm none
56+may be used to disable this.
57 .It Cm X11DisplayOffset
58 Specifies the first display number available for
59 .Xr sshd 8 Ns 's
60