-The client should send back a \fBuser\fR command with username and a
-hex-encoded response. The response is the SHA-1 hash of the user's password
-and the challenge.
+Currently the algorithm name is omitted if it is \fBsha1\fR (but this will
+probably change in a future version). The other options are \fBsha256\fR,
+\fBsha384\fR and \fBsha512\fR. \fBSHA1\fR etc work as synonyms.
+.PP
+The \fBuser\fR response consists of the selected hash of the user's password
+concatenated with the challenge, encoded in hex.