diff --git a/README.md b/README.md
index df578e4..0a3fc5a 100644
--- a/README.md
+++ b/README.md
@@ -255,6 +255,70 @@ kadmin.local -q "listpols"
 kadmin.local -q "delpol default"
 ```
 
+## SSH server configuration
+
+SSH uses the `host/` service principal. The FQDN must match the result of forward DNS resolution of the server's hostname, and the IP must reverse-resolve to the same FQDN.
+
+### Linux
+
+Create the host principal and extract the keytab to the default location:
+
+```bash
+kadmin -p admin@REALM -q "addprinc -randkey host/ssh-server.example.org@REALM"
+kadmin -p admin@REALM -q "ktadd host/ssh-server.example.org@REALM"
+```
+
+The keytab is written to `/etc/krb5.keytab` (mode `0600`, owned by `root`). Add to `/etc/ssh/sshd_config`:
+
+```
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials yes
+GSSAPIStrictAcceptorCheck yes
+```
+
+`GSSAPIStrictAcceptorCheck` verifies the server's identity against the keytab — keep it enabled. Reload sshd after the change.
+
+**Login authorisation** — by default a principal is granted access if its realm matches `default_realm` and its name matches the local account. To grant additional principals access to an account, list them in `~/.k5login` (one principal per line):
+
+```
+alice@EXAMPLE.ORG
+alice/admin@EXAMPLE.ORG
+```
+
+If `.k5login` is present it is authoritative — unlisted principals are denied even if the name matches. To make it additive rather than restrictive, set in `krb5.conf`:
+
+```ini
+[libdefaults]
+    k5login_authoritative = false
+```
+
+### Windows
+
+`GSSAPIAuthentication` is available on **Windows Server 2022, 2025, Windows 10 (May 2021 Update), and Windows 11** only. Windows Server 2019 does not support it.
+
+Install **MIT Kerberos for Windows** (KfW) on the SSH server — Windows OpenSSH uses it for GSSAPI when the machine is not domain-joined. Create the host principal and extract a keytab:
+
+```bash
+kadmin -p admin@REALM -q "addprinc -randkey host/win-server.example.org@REALM"
+kadmin -p admin@REALM -q "ktadd -k /tmp/win-server.keytab host/win-server.example.org@REALM"
+```
+
+Copy the keytab to the Windows server and set `KRB5_KTNAME` in the system environment to its path, or place it at the KfW default (`%ProgramData%\MIT\Kerberos5\krb5.keytab`).
+
+Add to `%ProgramData%\ssh\sshd_config`:
+
+```
+GSSAPIAuthentication yes
+```
+
+> The following directives are **not available** on Windows OpenSSH and must not be added: `GSSAPICleanupCredentials`, `GSSAPIStrictAcceptorCheck`, `KerberosAuthentication`, `KerberosTicketCleanup`.
+
+Restart the `sshd` service after the change:
+
+```powershell
+Restart-Service sshd
+```
+
 ## OpenLDAP SASL/GSSAPI integration
 
 1. Create the LDAP service principal and extract a keytab: