diff --git a/README.md b/README.md
index 2616b57..041b6be 100644
--- a/README.md
+++ b/README.md
@@ -103,10 +103,13 @@ docker run \
 Tip: you can use [atmoz/makepasswd](https://hub.docker.com/r/atmoz/makepasswd/) to generate encrypted passwords:  
 `echo -n "your-password" | docker run -i --rm atmoz/makepasswd --crypt-md5 --clearfrom=-`
 
-## Using SSH key (and no password)
+## Logging in with SSH keys
 
-Mount all public keys in the user's `.ssh/keys/` directory. All keys are automatically
-appended to `.ssh/authorized_keys`.
+Mount public keys in the user's `.ssh/keys/` directory. All keys are
+automatically appended to `.ssh/authorized_keys` (you can't mount this file
+directly, because OpenSSH requires limited file permissions). In this example,
+we do not provide any password, so the user `foo` can only login with his SSH
+key.
 
 ```
 docker run \
@@ -117,9 +120,11 @@ docker run \
     foo::1001
 ```
 
-## Using custom SSH key for server
+## Providing your own SSH host key
 
-This container will generate an ssh-key for OpenSSH at first run. To avoid this, you can map Ed25519 or RSA keys from the host inside the container.
+This container will generate new SSH host keys at first run. To avoid that your
+users get a MITM warning when you recreate your container (and the host keys
+changes), you can mount your own host keys.
 
 ```
 docker run \
@@ -130,7 +135,8 @@ docker run \
     foo::1001
 ```
 
-Tip: you can generate keys with this commands:
+Tip: you can generate your keys with these commands:
+
 ```
 ssh-keygen -t ed25519 -f /host/ssh_host_ed25519_key < /dev/null
 ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key < /dev/null