--- sshd_config.5.orig	2013-02-11 18:02:09.000000000 -0600
+++ sshd_config.5	2013-05-13 06:49:28.164628328 -0500
@@ -277,7 +277,9 @@
 .It Cm ChallengeResponseAuthentication
 Specifies whether challenge-response authentication is allowed (e.g. via
 PAM or though authentication styles supported in
-.Xr login.conf 5 )
+.Xr login.conf 5 ) .
+See also
+.Cm UsePAM .
 The default is
 .Dq yes .
 .It Cm ChrootDirectory
@@ -555,7 +557,7 @@
 .Pp
 .Pa /etc/hosts.equiv
 and
-.Pa /etc/shosts.equiv
+.Pa /etc/ssh/shosts.equiv
 are still used.
 The default is
 .Dq yes .
@@ -841,7 +843,22 @@
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
 The default is
+.Dq no ,
+unless
+.Nm sshd
+was built without PAM support, in which case the default is
 .Dq yes .
+Note that if
+.Cm ChallengeResponseAuthentication
+is
+.Dq yes ,
+and the PAM authentication policy for
+.Nm sshd
+includes
+.Xr pam_unix 8 ,
+password authentication will be allowed through the challenge-response
+mechanism regardless of the value of
+.Cm PasswordAuthentication .
 .It Cm PermitEmptyPasswords
 When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.
@@ -887,7 +904,14 @@
 or
 .Dq no .
 The default is
-.Dq yes .
+.Dq no .
+Note that if
+.Cm ChallengeResponseAuthentication
+is
+.Dq yes ,
+the root user may be allowed in with its password even if
+.Cm PermitRootLogin is set to
+.Dq without-password .
 .Pp
 If this option is set to
 .Dq without-password ,
@@ -1006,7 +1030,9 @@
 section in
 .Xr ssh-keygen 1 .
 .It Cm RhostsRSAAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
+Specifies whether rhosts or
+.Pa /etc/hosts.equiv
+authentication together
 with successful RSA host authentication is allowed.
 The default is
 .Dq no .
@@ -1146,7 +1172,7 @@
 .Xr sshd 8
 as a non-root user.
 The default is
-.Dq no .
+.Dq yes .
 .It Cm UsePrivilegeSeparation
 Specifies whether
 .Xr sshd 8
@@ -1182,7 +1208,7 @@
 or
 .Dq no .
 The default is
-.Dq no .
+.Dq yes .
 .Pp
 When X11 forwarding is enabled, there may be additional exposure to
 the server and to client displays if the