--- sshd_config.5.orig	2017-03-19 19:39:27.000000000 -0700
+++ sshd_config.5	2017-03-20 11:48:37.553620000 -0700
@@ -373,7 +373,9 @@ By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication
 Specifies whether challenge-response authentication is allowed (e.g. via
 PAM or through authentication styles supported in
-.Xr login.conf 5 )
+.Xr login.conf 5 ) .
+See also
+.Cm UsePAM .
 The default is
 .Cm yes .
 .It Cm ChrootDirectory
@@ -671,7 +673,9 @@ ssh-ed25519,ssh-rsa
 The list of available key types may also be obtained using
 .Qq ssh -Q key .
 .It Cm HostbasedAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
+Specifies whether rhosts or
+.Pa /etc/hosts.equiv
+authentication together
 with successful public key client host authentication is allowed
 (host-based authentication).
 The default is
@@ -1136,7 +1140,22 @@ are refused if the number of unauthentic
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
 The default is
+.Cm no ,
+unless
+.Nm sshd
+was built without PAM support, in which case the default is
 .Cm yes .
+Note that if
+.Cm ChallengeResponseAuthentication
+is
+.Cm yes ,
+and the PAM authentication policy for
+.Nm sshd
+includes
+.Xr pam_unix 8 ,
+password authentication will be allowed through the challenge-response
+mechanism regardless of the value of
+.Cm PasswordAuthentication .
 .It Cm PermitEmptyPasswords
 When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.
@@ -1232,6 +1251,13 @@ and
 .Cm ethernet .
 The default is
 .Cm no .
+Note that if
+.Cm ChallengeResponseAuthentication
+is
+.Cm yes ,
+the root user may be allowed in with its password even if
+.Cm PermitRootLogin is set to
+.Cm without-password .
 .Pp
 Independent of this setting, the permissions of the selected
 .Xr tun 4
@@ -1493,12 +1519,15 @@ is enabled, you will not be able to run
 .Xr sshd 8
 as a non-root user.
 The default is
-.Cm no .
+.Cm yes .
 .It Cm VersionAddendum
 Optionally specifies additional text to append to the SSH protocol banner
 sent by the server upon connection.
 The default is
-.Cm none .
+.Cm %%SSH_VERSION_FREEBSD_PORT%% .
+The value
+.Cm none
+may be used to disable this.
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Xr sshd 8 Ns 's
@@ -1512,7 +1541,7 @@ The argument must be
 or
 .Cm no .
 The default is
-.Cm no .
+.Cm yes .
 .Pp
 When X11 forwarding is enabled, there may be additional exposure to
 the server and to client displays if the