diff --git a/docs/guide/sshd_as_backend.md b/docs/guide/sshd_as_backend.md
index 8ffa92253d3c319905fdc28f360d4d51a9516617..97c66725c535cc8408d6af7537ca9f015c914043 100644
--- a/docs/guide/sshd_as_backend.md
+++ b/docs/guide/sshd_as_backend.md
@@ -3,6 +3,19 @@
 The ssh daemon provided by OpenSSH is called sshd. This document provides an outline of its behaviour,
 to aid understand the behaviour and configuration when using sshd as backend for sshmngr.
 
+## Migration from dropbear
+
+If a system is upgraded with an image with sshd as backend, then:
+
+- sshd will check for dropbear config file on first start up, for example if an upgrade was done without defaultreset (i.e., keep settings) and dropbear was present in the previous image.
+
+If a dropbear config is found, sshd will:
+
+- try to generate an sshd config as similar as possible to the dropbear config, and then remove the dropbear config file
+- copy the /etc/dropbear/authorized_keys file to the place where sshd expects them, and then remove the dropbear authorized_keys
+
+Otherwise system will come up with the default sshd config, given further in this document.
+
 ## Configuration
 
 - The UCI file for sshd is called "sshd".
@@ -14,22 +27,32 @@ to aid understand the behaviour and configuration when using sshd as backend for
 
 - The default here applies if the option is not used.
 
-| Name             | Type     | Default     | Description |
-| :---             | :----:   | :---:       | :---        |
-| AllowUsers       | string   | empty       | username allowed to log in, no value means all users |
-| BannerFile       | string   | empty       | the path to the file containing the banner used in ssh |
-| enable           | bool     | true        | whether this server is enabled or not |
-| GatewayPorts     | bool     | false       | whether remote hosts are allowed to connect to forwarded ports |
-| Interface        | string   | empty       | interface whose address to bind to, no value means all interfaces |
-| MacAlgorithms    | string   | empty       | the available MAC (message authentication code) algorithm, no value means all |
-| MaxAuthTries     | number   | 6           | number of authentication attempts allowed |
-| PasswordAuth     | bool     | true        | whether to allow password based authentication |
-| Port             | number   | 22          | port to listen on |
-| PublishOverMdns  | bool     | true        | whether to announce an ssh service over mdns |
-| RootLogin        | bool     | true        | whether to allow authentication for root |
-| RootPasswordAuth | bool     | true        | whether to allow password based authentication for root |
-
-- There is a iowrt default config with which the device comes up, which is different and as follows:
+| Name              | Type          | Default     | Description |
+| :---              | :----:        | :---:       | :---        |
+| AllowUsers        | list (string) | empty       | usernames allowed to log in, no value means all users |
+| BannerFile        | string        | empty       | the path to the file containing the banner used in ssh |
+| Ciphers           | list (string) | empty       | the Ciphers that can be used, no value means all |
+| enable            | bool          | true        | whether this server is enabled or not |
+| GatewayPorts      | bool          | false       | whether remote hosts are allowed to connect to forwarded ports |
+| HostKeyAlgorithms | list (string) | empty       | the HostKeyAlgorithms that can be used, no value means all |
+| HostKeyFiles      | list (string) | empty       | the file(s) pointing to HostKey(s), no value means sshd default |
+| IdleTimeout       | number        | 0           | how many seconds before unresponsive SSH clients will be disconnected |
+| Interface         | string        | empty       | interface whose address to bind to, no value means all interfaces |
+| KexAlgorithms     | list (string) | empty       | the KexAlgorithms that can be used |
+| MacAlgorithms     | list (string) | empty       | the available MAC (message authentication code) algorithm, no value means all |
+| MaxAuthTries      | number        | 6           | number of authentication attempts allowed |
+| mdns              | bool          | true        | whether to announce an ssh service over mdns |
+| PasswordAuth      | bool          | true        | whether to allow password based authentication |
+| Port              | number        | 22          | port to listen on |
+| RootLogin         | bool          | true        | whether to allow authentication for root |
+| RootPasswordAuth  | bool          | true        | whether to allow password based authentication for root |
+
+- For more details about these options please follow *sshd_config* manual page.
+
+### IOWRT default sshd config
+
+- There is an iowrt default config with which the device comes up, which is different and as follows:
+
 ```
 config sshd
         option enable '1'
@@ -41,8 +64,33 @@ config sshd
         list MacAlgorithms 'hmac-sha1'
         list MacAlgorithms 'hmac-sha2-256'
         list MacAlgorithms 'hmac-sha2-512'
+        list Ciphers 'aes128-ctr'
+        list Ciphers 'aes192-ctr'
+        list Ciphers 'aes256-ctr'
+        list HostKeyAlgorithms 'ecdsa-sha2-nistp256'
+        list HostKeyAlgorithms 'ecdsa-sha2-nistp384'
+        list HostKeyAlgorithms 'ecdsa-sha2-nistp521'
+        list HostKeyAlgorithms 'ssh-rsa'
+        list HostKeyAlgorithms 'ssh-dss'
+        list KexAlgorithms 'ecdh-sha2-nistp256'
+        list KexAlgorithms 'ecdh-sha2-nistp384'
+        list KexAlgorithms 'ecdh-sha2-nistp521'
+        list KexAlgorithms 'diffie-hellman-group14-sha1'
+        list KexAlgorithms 'diffie-hellman-group-exchange-sha256'
+```
+
+- Please note that the following options are not configurable via TR181 and hence must be properly set in the customer default UCI config or represented by vendor extensions:
+
+```
+1. AllowUsers
+2. BannerFile
+3. MacAlgorithms
+4. Ciphers
+5. GatewayPorts
+6. HostKeyAlgorithms
+7. HostKeyFiles
+8. KexAlgorithms
 ```
-- Please note that the options AllowUsers and MacAlgorithms are not configurable via TR181 and hence must be properly set in the customer default UCI config or represented by vendor extensions.
 
 ### AuthorizedKeys