diff --git a/openssh-8.7p1-man-hostkeyalgos.patch b/openssh-8.7p1-man-hostkeyalgos.patch
new file mode 100644
index 0000000..92c53b1
--- /dev/null
+++ b/openssh-8.7p1-man-hostkeyalgos.patch
@@ -0,0 +1,31 @@
+diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh_config.5 openssh-8.7p1-patched/ssh_config.5
+--- openssh-8.7p1/ssh_config.5	2023-06-02 09:14:40.279373577 +0200
++++ openssh-8.7p1-patched/ssh_config.5	2023-05-30 16:01:04.533848172 +0200
+@@ -989,6 +989,17 @@
+ .Pp
+ The list of available signature algorithms may also be obtained using
+ .Qq ssh -Q HostKeyAlgorithms .
++.Pp
++The proposed
++.Cm HostKeyAlgorithms
++during KEX are limited to the set of algorithms that is defined in
++.Cm PubkeyAcceptedAlgorithms
++and therefore they are indirectly affected by system-wide
++.Xr crypto_policies 7 .
++.Xr crypto_policies 7 can not handle the list of host key algorithms directly as doing so
++would break the order given by the
++.Pa known_hosts
++file.
+ .It Cm HostKeyAlias
+ Specifies an alias that should be used instead of the
+ real host name when looking up or saving the host key
+@@ -1564,6 +1575,9 @@
+ .Pp
+ The list of available signature algorithms may also be obtained using
+ .Qq ssh -Q PubkeyAcceptedAlgorithms .
++.Pp
++This option affects also
++.Cm HostKeyAlgorithms
+ .It Cm PubkeyAuthentication
+ Specifies whether to try public key authentication.
+ The argument to this keyword must be
diff --git a/openssh.spec b/openssh.spec
index a51e330..29682b8 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -272,6 +272,9 @@ Patch1010: openssh-8.7p1-evp-fips-compl-dh.patch
 Patch1011: openssh-8.7p1-evp-fips-compl-ecdh.patch
 Patch1012: openssh-8.7p1-evp-pkcs11.patch
 
+# clarify rhbz#2068423 on the man page of ssh_config
+Patch1013: openssh-8.7p1-man-hostkeyalgos.patch
+
 License: BSD
 Requires: /sbin/nologin
 
@@ -487,6 +490,8 @@ popd
 %patch1011 -p1 -b .evp_fips_ecdh
 %patch1012 -p1 -b .evp_pkcs11
 
+%patch1013 -p1 -b .man-hostkeyalgos
+
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
 autoreconf
@@ -775,7 +780,8 @@ test -f %{sysconfig_anaconda} && \
 * Wed May 24 2023 Norbert Pocs <npocs@redhat.com> - 8.7p1-32
 - Fix pkcs11 issue with the recent changes
 - Delete unnecessary log messages from previous compl-dh patch
-- Resolves: rhbz#2207793
+- Add ssh_config man page explanation on rhbz#2068423
+- Resolves: rhbz#2207793, rhbz#2209096
 
 * Tue May 16 2023 Norbert Pocs <npocs@redhat.com> - 8.7p1-31
 - Fix minor issues with openssh-8.7p1-evp-fips-compl-dh.patch: