diff --git a/ChangeLog b/ChangeLog
index b7405813c..62e88bc37 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -21,6 +21,9 @@
    - markus@cvs.openbsd.org 2002/04/22 06:15:47
      [radix.c]
      fix check for overflow
+   - markus@cvs.openbsd.org 2002/04/22 16:16:53
+     [servconf.c sshd.8 sshd_config]
+     do not auto-enable KerberosAuthentication; ok djm@, provos@, deraadt@
 
 20020421
  - (tim) [entropy.c.] Portability fix for SCO Unix 3.2v4.x (SCO OSR 3.0).
@@ -8287,4 +8290,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.2068 2002/04/23 11:00:33 djm Exp $
+$Id: ChangeLog,v 1.2069 2002/04/23 11:04:51 djm Exp $
diff --git a/servconf.c b/servconf.c
index 5172813ec..4b5b406a7 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.106 2002/04/20 09:02:03 deraadt Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.107 2002/04/22 16:16:53 markus Exp $");
 
 #if defined(KRB4)
 #include <krb.h>
@@ -200,7 +200,7 @@ fill_default_server_options(ServerOptions *options)
 		options->pubkey_authentication = 1;
 #if defined(KRB4) || defined(KRB5)
 	if (options->kerberos_authentication == -1)
-		options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
+		options->kerberos_authentication = 0;
 	if (options->kerberos_or_local_passwd == -1)
 		options->kerberos_or_local_passwd = 1;
 	if (options->kerberos_ticket_cleanup == -1)
diff --git a/sshd.8 b/sshd.8
index 59ba65f9c..04596d6a1 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.177 2002/04/21 16:19:27 stevesk Exp $
+.\" $OpenBSD: sshd.8,v 1.178 2002/04/22 16:16:53 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -571,7 +571,7 @@ the Kerberos KDC.
 To use this option, the server needs a
 Kerberos servtab which allows the verification of the KDC's identity.
 Default is
-.Dq yes .
+.Dq no .
 .It Cm KerberosOrLocalPasswd
 If set then if password authentication through Kerberos fails then
 the password will be validated via any additional local mechanism
diff --git a/sshd_config b/sshd_config
index a6b148bc9..d55a9e68c 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.50 2002/04/21 16:19:27 stevesk Exp $
+#	$OpenBSD: sshd_config,v 1.51 2002/04/22 16:16:53 markus Exp $
 
 # This is the sshd server system-wide configuration file.  See sshd(8)
 # for more information.
@@ -60,8 +60,7 @@
 #ChallengeResponseAuthentication yes
 
 # Kerberos options
-# KerberosAuthentication automatically enabled if keyfile exists
-#KerberosAuthentication yes
+#KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes