git: 6ac1039d047a - stable/13 - ssh: update to OpenSSH v8.9p1

From: Ed Maste <emaste_at_FreeBSD.org>
Date: Fri, 07 Oct 2022 01:39:38 UTC
The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=6ac1039d047aafcaae5fec13504ece8fdc764c5a

commit 6ac1039d047aafcaae5fec13504ece8fdc764c5a
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2022-04-13 20:00:56 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-10-07 01:39:00 +0000

    ssh: update to OpenSSH v8.9p1
    
    Release notes are available at https://www.openssh.com/txt/release-8.9
    
    Some highlights:
    
     * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
       restricting forwarding and use of keys added to ssh-agent(1)
    
     * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
       ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
       default KEXAlgorithms list (after the ECDH methods but before the
       prime-group DH ones). The next release of OpenSSH is likely to
       make this key exchange the default method.
    
     * sshd(8), portable OpenSSH only: this release removes in-built
       support for MD5-hashed passwords. If you require these on your
       system then we recommend linking against libxcrypt or similar.
    
    Future deprecation notice
    =========================
    
    A near-future release of OpenSSH will switch scp(1) from using the
    legacy scp/rcp protocol to using SFTP by default.
    
    Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
    "scp host:* .") through the remote shell. This has the side effect of
    requiring double quoting of shell meta-characters in file names
    included on scp(1) command-lines, otherwise they could be interpreted
    as shell commands on the remote side.
    
    MFC after:      1 month
    Relnotes:       Yes
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit 1323ec571215a77ddd21294f0871979d5ad6b992)
    (cherry picked from commit 58def461e256e3a05c3ff15a87ed702fe0c3662c)
---
 crypto/openssh/.depend                             |    11 +-
 crypto/openssh/.github/configs                     |    76 +-
 crypto/openssh/.github/configure.sh                |    17 +-
 crypto/openssh/.github/setup_ci.sh                 |    41 +-
 crypto/openssh/.github/workflows/c-cpp.yml         |    24 +-
 crypto/openssh/.github/workflows/selfhosted.yml    |    14 +-
 crypto/openssh/.github/workflows/upstream.yml      |     3 +-
 crypto/openssh/.skipped-commit-ids                 |     1 +
 crypto/openssh/ChangeLog                           | 17378 +++++++++----------
 crypto/openssh/INSTALL                             |     5 -
 crypto/openssh/LICENCE                             |    21 +-
 crypto/openssh/Makefile.in                         |    55 +-
 crypto/openssh/PROTOCOL                            |    69 +-
 crypto/openssh/PROTOCOL.agent                      |    85 +-
 crypto/openssh/PROTOCOL.mux                        |     6 +-
 crypto/openssh/README                              |     2 +-
 crypto/openssh/SECURITY.md                         |     5 +
 crypto/openssh/addr.c                              |    30 +-
 crypto/openssh/atomicio.c                          |     1 -
 crypto/openssh/auth-options.c                      |     4 +-
 crypto/openssh/auth-rhosts.c                       |    41 +-
 crypto/openssh/auth.c                              |    16 +-
 crypto/openssh/auth.h                              |     5 +-
 crypto/openssh/auth2-gss.c                         |     5 +-
 crypto/openssh/auth2-hostbased.c                   |    11 +-
 crypto/openssh/auth2-kbdint.c                      |     5 +-
 crypto/openssh/auth2-none.c                        |     5 +-
 crypto/openssh/auth2-passwd.c                      |     5 +-
 crypto/openssh/auth2-pubkey.c                      |    49 +-
 crypto/openssh/auth2.c                             |    70 +-
 crypto/openssh/authfd.c                            |   116 +-
 crypto/openssh/authfd.h                            |    35 +-
 crypto/openssh/authfile.c                          |     4 +-
 crypto/openssh/channels.c                          |   554 +-
 crypto/openssh/channels.h                          |    31 +-
 crypto/openssh/clientloop.c                        |   236 +-
 crypto/openssh/config.h                            |    36 +-
 crypto/openssh/configure.ac                        |   126 +-
 crypto/openssh/contrib/redhat/openssh.spec         |    10 +-
 crypto/openssh/contrib/suse/openssh.spec           |     2 +-
 crypto/openssh/defines.h                           |    39 +-
 crypto/openssh/digest-libc.c                       |    10 +
 crypto/openssh/dns.c                               |     4 +-
 crypto/openssh/gss-genr.c                          |     1 +
 crypto/openssh/hostfile.c                          |    22 +-
 crypto/openssh/includes.h                          |     1 -
 crypto/openssh/kex.c                               |    48 +-
 crypto/openssh/kex.h                               |    13 +-
 crypto/openssh/kexgen.c                            |    35 +-
 crypto/openssh/kexgexc.c                           |    24 +-
 crypto/openssh/kexgexs.c                           |    14 +-
 crypto/openssh/kexsntrup761x25519.c                |     4 +-
 crypto/openssh/loginrec.c                          |     3 +-
 crypto/openssh/md5crypt.c                          |   165 -
 crypto/openssh/md5crypt.h                          |    22 -
 crypto/openssh/misc.c                              |    90 +-
 crypto/openssh/misc.h                              |     4 +-
 crypto/openssh/moduli                              |   831 +-
 crypto/openssh/monitor.c                           |    31 +-
 crypto/openssh/mux.c                               |     4 +-
 crypto/openssh/myproposal.h                        |     3 +-
 crypto/openssh/nchan.c                             |    10 +-
 crypto/openssh/openbsd-compat/arc4random.c         |     8 +-
 crypto/openssh/openbsd-compat/base64.c             |     1 -
 crypto/openssh/openbsd-compat/bcrypt_pbkdf.c       |    41 +-
 crypto/openssh/openbsd-compat/bindresvport.c       |     1 +
 crypto/openssh/openbsd-compat/blf.h                |     7 +-
 crypto/openssh/openbsd-compat/blowfish.c           |     7 +-
 crypto/openssh/openbsd-compat/bsd-closefrom.c      |     8 +-
 crypto/openssh/openbsd-compat/bsd-cygwin_util.c    |     4 +-
 crypto/openssh/openbsd-compat/bsd-getline.c        |     2 +-
 crypto/openssh/openbsd-compat/bsd-openpty.c        |    76 +-
 crypto/openssh/openbsd-compat/bsd-poll.c           |    68 +-
 crypto/openssh/openbsd-compat/bsd-poll.h           |    26 +-
 crypto/openssh/openbsd-compat/bsd-statvfs.c        |     1 -
 crypto/openssh/openbsd-compat/dirname.c            |     1 -
 crypto/openssh/openbsd-compat/fmt_scaled.c         |    32 +-
 crypto/openssh/openbsd-compat/getcwd.c             |     1 -
 crypto/openssh/openbsd-compat/inet_aton.c          |     1 -
 crypto/openssh/openbsd-compat/inet_ntop.c          |     1 -
 crypto/openssh/openbsd-compat/openbsd-compat.h     |     4 +-
 crypto/openssh/openbsd-compat/port-solaris.c       |     1 -
 crypto/openssh/openbsd-compat/xcrypt.c             |    17 +-
 crypto/openssh/packet.c                            |   103 +-
 crypto/openssh/packet.h                            |     3 +-
 crypto/openssh/platform-tracing.c                  |    13 +-
 crypto/openssh/readconf.c                          |    27 +-
 crypto/openssh/readconf.h                          |     7 +-
 crypto/openssh/regress/Makefile                    |    14 +-
 crypto/openssh/regress/agent-getpeereid.sh         |     3 +
 crypto/openssh/regress/agent-restrict.sh           |   495 +
 crypto/openssh/regress/cert-hostkey.sh             |    86 +-
 crypto/openssh/regress/cert-userkey.sh             |   326 +-
 crypto/openssh/regress/cipher-speed.sh             |    10 +
 crypto/openssh/regress/hostbased.sh                |    66 +
 crypto/openssh/regress/hostkey-agent.sh            |    84 +-
 crypto/openssh/regress/hostkey-rotate.sh           |    17 +-
 crypto/openssh/regress/keys-command.sh             |     6 +-
 crypto/openssh/regress/knownhosts.sh               |    17 +
 crypto/openssh/regress/login-timeout.sh            |     4 +-
 crypto/openssh/regress/misc/fuzz-harness/Makefile  |     2 +-
 .../openssh/regress/misc/fuzz-harness/kex_fuzz.cc  |     3 +-
 .../regress/misc/fuzz-harness/ssh-sk-null.cc       |     3 +-
 crypto/openssh/regress/misc/sk-dummy/sk-dummy.c    |    55 +-
 crypto/openssh/regress/percent.sh                  |     5 +-
 crypto/openssh/regress/principals-command.sh       |   220 +-
 crypto/openssh/regress/sshd-log-wrapper.sh         |     3 +-
 crypto/openssh/regress/sshsig.sh                   |   256 +-
 crypto/openssh/regress/test-exec.sh                |    30 +-
 crypto/openssh/regress/unittests/authopt/tests.c   |     3 +-
 crypto/openssh/regress/unittests/bitmap/tests.c    |     3 +-
 .../openssh/regress/unittests/conversion/tests.c   |     3 +-
 .../regress/unittests/hostkeys/test_iterate.c      |     3 +-
 crypto/openssh/regress/unittests/kex/test_kex.c    |     3 +-
 crypto/openssh/regress/unittests/match/tests.c     |     3 +-
 crypto/openssh/regress/unittests/misc/test_argv.c  |     3 +-
 .../openssh/regress/unittests/misc/test_convtime.c |     4 +-
 .../openssh/regress/unittests/misc/test_expand.c   |     3 +-
 .../openssh/regress/unittests/misc/test_hpdelim.c  |    82 +
 crypto/openssh/regress/unittests/misc/test_parse.c |     3 +-
 .../openssh/regress/unittests/misc/test_strdelim.c |     3 +-
 crypto/openssh/regress/unittests/misc/tests.c      |     5 +-
 .../openssh/regress/unittests/sshbuf/test_sshbuf.c |     7 +-
 .../regress/unittests/sshbuf/test_sshbuf_fixed.c   |     3 +-
 .../regress/unittests/sshbuf/test_sshbuf_fuzz.c    |     5 +-
 .../unittests/sshbuf/test_sshbuf_getput_basic.c    |     3 +-
 .../unittests/sshbuf/test_sshbuf_getput_crypto.c   |     3 +-
 .../unittests/sshbuf/test_sshbuf_getput_fuzz.c     |     5 +-
 .../regress/unittests/sshbuf/test_sshbuf_misc.c    |     3 +-
 crypto/openssh/regress/unittests/sshkey/common.c   |     3 +-
 .../openssh/regress/unittests/sshkey/test_file.c   |     5 +-
 .../openssh/regress/unittests/sshkey/test_fuzz.c   |     5 +-
 .../openssh/regress/unittests/sshkey/test_sshkey.c |     5 +-
 crypto/openssh/regress/unittests/sshsig/tests.c    |     7 +-
 .../openssh/regress/unittests/sshsig/webauthn.html |     6 +-
 .../regress/unittests/test_helper/test_helper.c    |    11 +-
 crypto/openssh/rijndael.h                          |     5 +-
 crypto/openssh/sandbox-capsicum.c                  |     1 -
 crypto/openssh/sandbox-seccomp-filter.c            |    17 +-
 crypto/openssh/scp.1                               |     4 +-
 crypto/openssh/scp.c                               |    85 +-
 crypto/openssh/servconf.c                          |    21 +-
 crypto/openssh/serverloop.c                        |   157 +-
 crypto/openssh/session.c                           |     5 +-
 crypto/openssh/sftp-client.c                       |   200 +-
 crypto/openssh/sftp-client.h                       |     4 +-
 crypto/openssh/sftp-server.c                       |    85 +-
 crypto/openssh/sftp.c                              |     1 -
 crypto/openssh/sk-api.h                            |     7 +-
 crypto/openssh/sk-usbhid.c                         |   225 +-
 crypto/openssh/sk_config.h                         |     2 +
 crypto/openssh/ssh-add.1                           |    88 +-
 crypto/openssh/ssh-add.c                           |   218 +-
 crypto/openssh/ssh-agent.c                         |   716 +-
 crypto/openssh/ssh-keygen.1                        |    37 +-
 crypto/openssh/ssh-keygen.c                        |   246 +-
 crypto/openssh/ssh-keyscan.c                       |    70 +-
 crypto/openssh/ssh-keysign.c                       |    42 +-
 crypto/openssh/ssh-pkcs11-client.c                 |    16 +-
 crypto/openssh/ssh-pkcs11-helper.c                 |     4 +-
 crypto/openssh/ssh-pkcs11.c                        |    35 +-
 crypto/openssh/ssh-sk-client.c                     |    98 +-
 crypto/openssh/ssh-sk-helper.c                     |    33 +-
 crypto/openssh/ssh-sk.c                            |   106 +-
 crypto/openssh/ssh-sk.h                            |    14 +-
 crypto/openssh/ssh.1                               |    10 +-
 crypto/openssh/ssh.c                               |    20 +-
 crypto/openssh/ssh_config                          |     2 +-
 crypto/openssh/ssh_config.5                        |    22 +-
 crypto/openssh/ssh_namespace.h                     |    40 +-
 crypto/openssh/sshbuf-misc.c                       |    39 +-
 crypto/openssh/sshbuf.h                            |     8 +-
 crypto/openssh/sshconnect.c                        |     4 +-
 crypto/openssh/sshconnect2.c                       |    79 +-
 crypto/openssh/sshd.c                              |    91 +-
 crypto/openssh/sshd_config                         |     2 +-
 crypto/openssh/sshd_config.5                       |     8 +-
 crypto/openssh/sshkey.c                            |    31 +-
 crypto/openssh/sshkey.h                            |     6 +-
 crypto/openssh/sshsig.c                            |   284 +-
 crypto/openssh/sshsig.h                            |     6 +-
 crypto/openssh/umac.c                              |     4 +-
 crypto/openssh/umac.h                              |     4 +-
 crypto/openssh/version.h                           |     6 +-
 lib/libpam/modules/pam_ssh/pam_ssh.c               |     2 +-
 secure/usr.sbin/sshd/Makefile                      |     2 +-
 186 files changed, 13912 insertions(+), 12246 deletions(-)

diff --git a/crypto/openssh/.depend b/crypto/openssh/.depend
index a94a82d0e6f7..945a01dcc05d 100644
--- a/crypto/openssh/.depend
+++ b/crypto/openssh/.depend
@@ -13,7 +13,7 @@ auth-krb5.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-com
 auth-options.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssherr.h log.h sshbuf.h misc.h sshkey.h match.h ssh2.h auth-options.h
 auth-pam.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 auth-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h sshbuf.h ssherr.h log.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h
-auth-rhosts.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h uidswap.h pathnames.h log.h ssherr.h misc.h sshbuf.h sshkey.h servconf.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
+auth-rhosts.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h uidswap.h pathnames.h log.h ssherr.h misc.h xmalloc.h sshbuf.h sshkey.h servconf.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
 auth-shadow.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 auth-sia.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 auth.o: authfile.h monitor_wrap.h compat.h channels.h
@@ -74,11 +74,10 @@ kexgexs.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compa
 kexsntrup761x25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h
 krl.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h sshbuf.h ssherr.h sshkey.h authfile.h misc.h log.h digest.h bitmap.h utf8.h krl.h
 log.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h match.h
-loginrec.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshkey.h hostfile.h ssh.h loginrec.h log.h ssherr.h atomicio.h packet.h openbsd-compat/sys-queue.h dispatch.h canohost.h auth.h auth-pam.h audit.h sshbuf.h
+loginrec.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshkey.h hostfile.h ssh.h loginrec.h log.h ssherr.h atomicio.h packet.h openbsd-compat/sys-queue.h dispatch.h canohost.h auth.h auth-pam.h audit.h sshbuf.h misc.h
 logintest.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h loginrec.h
 mac.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h digest.h hmac.h umac.h mac.h misc.h ssherr.h sshbuf.h openbsd-compat/openssl-compat.h
 match.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h match.h misc.h
-md5crypt.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 misc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h misc.h log.h ssherr.h ssh.h sshbuf.h
 moduli.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 monitor.o: chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h dh.h packet.h dispatch.h auth-options.h sshpty.h channels.h session.h sshlogin.h canohost.h log.h ssherr.h misc.h servconf.h monitor.h monitor_wrap.h monitor_fdpass.h compat.h ssh2.h authfd.h match.h sk-api.h
@@ -110,7 +109,7 @@ sandbox-seccomp-filter.o: includes.h config.h defines.h platform.h openbsd-compa
 sandbox-solaris.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 sandbox-systrace.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 sc25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sc25519.h crypto_api.h
-scp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h xmalloc.h ssh.h atomicio.h pathnames.h log.h ssherr.h misc.h progressmeter.h utf8.h sftp-common.h sftp-client.h
+scp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h xmalloc.h ssh.h atomicio.h pathnames.h log.h ssherr.h misc.h progressmeter.h utf8.h sftp.h sftp-common.h sftp-client.h
 servconf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h openbsd-compat/sys-queue.h xmalloc.h ssh.h log.h ssherr.h sshbuf.h misc.h servconf.h compat.h pathnames.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey
 .h
 servconf.o: kex.h mac.h crypto_api.h match.h channels.h groupaccess.h canohost.h packet.h dispatch.h hostfile.h auth.h auth-pam.h audit.h loginrec.h myproposal.h digest.h
 serverloop.o: cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h hostfile.h auth.h auth-pam.h audit.h loginrec.h session.h auth-options.h serverloop.h
@@ -127,8 +126,8 @@ sftp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h
 sk-usbhid.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 sntrup761.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 srclimit.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h addr.h canohost.h log.h ssherr.h misc.h srclimit.h xmalloc.h
-ssh-add.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h log.h ssherr.h sshkey.h sshbuf.h authfd.h authfile.h pathnames.h misc.h digest.h ssh-sk.h sk-api.h
-ssh-agent.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshbuf.h sshkey.h authfd.h compat.h log.h ssherr.h misc.h digest.h match.h msg.h pathnames.h ssh-pkcs11.h sk-api.h
+ssh-add.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h log.h ssherr.h sshkey.h sshbuf.h authfd.h authfile.h pathnames.h misc.h digest.h ssh-sk.h sk-api.h hostfile.h
+ssh-agent.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshbuf.h sshkey.h authfd.h compat.h log.h ssherr.h misc.h digest.h match.h msg.h pathnames.h ssh-pkcs11.h sk-api.h myproposal.h
 ssh-dss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 ssh-ecdsa-sk.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/openssl-compat.h sshbuf.h ssherr.h digest.h sshkey.h
 ssh-ecdsa.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
diff --git a/crypto/openssh/.github/configs b/crypto/openssh/.github/configs
index 12578c067348..853da58a51e3 100755
--- a/crypto/openssh/.github/configs
+++ b/crypto/openssh/.github/configs
@@ -15,6 +15,8 @@ LTESTS=""
 SKIP_LTESTS=""
 SUDO=sudo	# run with sudo by default
 TEST_SSH_UNSAFE_PERMISSIONS=1
+# Stop on first test failure to minimize logs
+TEST_SSH_FAIL_FATAL=yes
 
 CONFIGFLAGS=""
 LIBCRYPTOFLAGS=""
@@ -25,9 +27,29 @@ case "$config" in
     c89)
 	CC="gcc"
 	CFLAGS="-Wall -std=c89 -pedantic -Werror=vla"
-	CONFIGFLAGS="--without-openssl --without-zlib"
+	CONFIGFLAGS="--without-zlib"
+	LIBCRYPTOFLAGS="--without-openssl"
 	TEST_TARGET=t-exec
 	;;
+    cygwin-release)
+	CONFIGFLAGS="--with-libedit --with-xauth=/usr/bin/xauth --disable-strip --with-security-key-builtin"
+	;;
+   clang-12-Werror)
+	CC="clang-12"
+	# clang's implicit-fallthrough requires that the code be annotated with
+	# __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */
+	CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough"
+	CONFIGFLAGS="--with-pam --with-Werror"
+	;;
+    gcc-11-Werror)
+	CC="gcc"
+	# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
+	CFLAGS="-Wall -Wextra -Wno-format-truncation -O2 -Wimplicit-fallthrough=4"
+	CONFIGFLAGS="--with-pam --with-Werror"
+	;;
+    clang*|gcc*)
+	CC="$config"
+	;;
     kitchensink)
 	CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
 	CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
@@ -36,12 +58,21 @@ case "$config" in
     hardenedmalloc)
 	CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
 	;;
-    kerberos5)
+    tcmalloc)
+	CONFIGFLAGS="--with-ldflags=-ltcmalloc"
+	;;
+    krb5|heimdal)
 	CONFIGFLAGS="--with-kerberos5"
 	;;
     libedit)
 	CONFIGFLAGS="--with-libedit"
 	;;
+    musl)
+	CC="musl-gcc"
+	CONFIGFLAGS="--without-zlib"
+	LIBCRYPTOFLAGS="--without-openssl"
+	TEST_TARGET="t-exec"
+	;;
     pam-krb5)
 	CONFIGFLAGS="--with-pam --with-kerberos5"
 	SSHD_CONFOPTS="UsePam yes"
@@ -76,9 +107,9 @@ case "$config" in
 	# Valgrind slows things down enough that the agent timeout test
 	# won't reliably pass, and the unit tests run longer than allowed
 	# by github so split into three separate tests.
-	tests2="rekey integrity"
-	tests3="krl forward-control sshsig"
-	tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment"
+	tests2="rekey integrity try-ciphers sftp"
+	tests3="krl forward-control sshsig agent-restrict kextype"
+	tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
 	case "$config" in
 	    valgrind-1)
 		# All tests except agent-timeout (which is flaky under valgrind)
@@ -122,22 +153,25 @@ case "${TARGET_HOST}" in
 	SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
 	;;
     minix3)
-	CC="clang"
-	LIBCRYPTOFLAGS="--without-openssl"
+	LIBCRYPTOFLAGS="--without-openssl --disable-security-key"
 	# Minix does not have a loopback interface so we have to skip any
-	# test that relies on it.
+	# test that relies on one.
+	# Also, Minix seems to be very limited in the number of select()
+	# calls that can be operating concurrently, so prune additional tests for that.
+	T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse connect
+	    connect-uri exit-status forward-control forwarding hostkey-agent
+	    key-options keyscan knownhosts-command login-timeout multiplex
+	    reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
+	    sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
+	    transfer"
+	SKIP_LTESTS="$(echo $T)"
 	TEST_TARGET=t-exec
-	SKIP_LTESTS="addrmatch cfgparse key-options reexec agent connect"
-	SKIP_LTESTS="$SKIP_LTESTS keyscan rekey allow-deny-users connect-uri"
-	SKIP_LTESTS="$SKIP_LTESTS knownhosts-command sftp-uri brokenkeys"
-	SKIP_LTESTS="$SKIP_LTESTS exit-status login-timeout stderr-data"
-	SKIP_LTESTS="$SKIP_LTESTS cfgmatch forward-control multiplex transfer"
-	SKIP_LTESTS="$SKIP_LTESTS cfgmatchlisten forwarding reconfigure"
 	SUDO=""
 	;;
     nbsd4)
 	# System compiler will ICE on some files with fstack-protector
-	CONFIGFLAGS="${CONFIGFLAGS} --without-hardening"
+	# SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy
+	CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key"
 	;;
     sol10|sol11)
 	# sol10 VM is 32bit and the unit tests are slow.
@@ -150,6 +184,15 @@ case "${TARGET_HOST}" in
 	;;
 esac
 
+# Unless specified otherwise, build without OpenSSL on Mac OS since
+# modern versions don't ship with libcrypto.
+case "`./config.guess`" in
+*-darwin*)
+	LIBCRYPTOFLAGS="--without-openssl"
+	TEST_TARGET=t-exec
+	;;
+esac
+
 # If we have a local openssl/libressl, use that.
 if [ -z "${LIBCRYPTOFLAGS}" ]; then
 	# last-match
@@ -167,4 +210,5 @@ if [ -x "$(which plink 2>/dev/null)" ]; then
 	export REGRESS_INTEROP_PUTTY
 fi
 
-export CC CFLAGS LTESTS SUDO TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS
+export CC CFLAGS LTESTS SUDO
+export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL
diff --git a/crypto/openssh/.github/configure.sh b/crypto/openssh/.github/configure.sh
index e098730f02d6..502bf5f0d407 100755
--- a/crypto/openssh/.github/configure.sh
+++ b/crypto/openssh/.github/configure.sh
@@ -2,5 +2,20 @@
 
 . .github/configs $1
 
-set -x
+printf "$ "
+
+if [ "x$CC" != "x" ]; then
+	printf "CC='$CC' "
+fi
+if [ "x$CFLAGS" != "x" ]; then
+	printf "CFLAGS='$CFLAGS' "
+fi
+if [ "x$CPPFLAGS" != "x" ]; then
+	printf "CPPFLAGS='$CPPFLAGS' "
+fi
+if [ "x$LDFLAGS" != "x" ]; then
+	printf "LDFLAGS='$LDFLAGS' "
+fi
+
+echo ./configure ${CONFIGFLAGS}
 ./configure ${CONFIGFLAGS}
diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh
index 107c049c4175..ca37f8c5512f 100755
--- a/crypto/openssh/.github/setup_ci.sh
+++ b/crypto/openssh/.github/setup_ci.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-case $(./config.guess) in
+ . .github/configs $@
+
+case "`./config.guess`" in
 *-darwin*)
 	brew install automake
 	exit 0
@@ -20,23 +22,30 @@ set -ex
 lsb_release -a
 
 if [ "${TARGETS}" = "kitchensink" ]; then
-	TARGETS="kerberos5 libedit pam sk selinux"
+	TARGETS="krb5 libedit pam sk selinux"
 fi
 
+for flag in $CONFIGFLAGS; do
+    case "$flag" in
+    --with-pam)		PACKAGES="${PACKAGES} libpam0g-dev" ;;
+    --with-libedit)	PACKAGES="${PACKAGES} libedit-dev" ;;
+    esac
+done
+
 for TARGET in $TARGETS; do
     case $TARGET in
-    default|without-openssl|without-zlib|c89)
+    default|without-openssl|without-zlib|c89|libedit|*pam)
         # nothing to do
         ;;
-    kerberos5)
-        PACKAGES="$PACKAGES heimdal-dev"
-        #PACKAGES="$PACKAGES libkrb5-dev"
-        ;;
-    libedit)
-        PACKAGES="$PACKAGES libedit-dev"
+    clang-*|gcc-*)
+        compiler=$(echo $TARGET | sed 's/-Werror//')
+        PACKAGES="$PACKAGES $compiler"
         ;;
-    *pam)
-        PACKAGES="$PACKAGES libpam0g-dev"
+    krb5)
+        PACKAGES="$PACKAGES libkrb5-dev"
+	;;
+    heimdal)
+        PACKAGES="$PACKAGES heimdal-dev"
         ;;
     sk)
         INSTALL_FIDO_PPA="yes"
@@ -47,7 +56,13 @@ for TARGET in $TARGETS; do
         ;;
     hardenedmalloc)
         INSTALL_HARDENED_MALLOC=yes
-       ;;
+        ;;
+    musl)
+	PACKAGES="$PACKAGES musl-tools"
+	;;
+    tcmalloc)
+        PACKAGES="$PACKAGES libgoogle-perftools-dev"
+        ;;
     openssl-noec)
 	INSTALL_OPENSSL=OpenSSL_1_1_1k
 	SSLCONFOPTS="no-ec"
@@ -93,7 +108,7 @@ if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then
     (cd ${HOME} &&
      git clone https://github.com/GrapheneOS/hardened_malloc.git &&
      cd ${HOME}/hardened_malloc &&
-     make -j2 && sudo cp libhardened_malloc.so /usr/lib/)
+     make -j2 && sudo cp out/libhardened_malloc.so /usr/lib/)
 fi
 
 if [ ! -z "${INSTALL_OPENSSL}" ]; then
diff --git a/crypto/openssh/.github/workflows/c-cpp.yml b/crypto/openssh/.github/workflows/c-cpp.yml
index 152ddaa4fba6..5ee896308478 100644
--- a/crypto/openssh/.github/workflows/c-cpp.yml
+++ b/crypto/openssh/.github/workflows/c-cpp.yml
@@ -24,16 +24,28 @@ jobs:
           - { os: ubuntu-20.04, configs: valgrind-4 }
           - { os: ubuntu-20.04, configs: valgrind-unit }
           - { os: ubuntu-20.04, configs: c89 }
+          - { os: ubuntu-20.04, configs: clang-6.0 }
+          - { os: ubuntu-20.04, configs: clang-8 }
+          - { os: ubuntu-20.04, configs: clang-9 }
+          - { os: ubuntu-20.04, configs: clang-10 }
+          - { os: ubuntu-20.04, configs: clang-11 }
+          - { os: ubuntu-20.04, configs: clang-12-Werror }
+          - { os: ubuntu-20.04, configs: gcc-7 }
+          - { os: ubuntu-20.04, configs: gcc-8 }
+          - { os: ubuntu-20.04, configs: gcc-10 }
+          - { os: ubuntu-20.04, configs: gcc-11-Werror }
           - { os: ubuntu-20.04, configs: pam }
           - { os: ubuntu-20.04, configs: kitchensink }
           - { os: ubuntu-20.04, configs: hardenedmalloc }
+          - { os: ubuntu-20.04, configs: tcmalloc }
+          - { os: ubuntu-20.04, configs: musl }
           - { os: ubuntu-latest, configs: libressl-master }
           - { os: ubuntu-latest, configs: libressl-2.2.9 }
           - { os: ubuntu-latest, configs: libressl-2.8.3 }
           - { os: ubuntu-latest, configs: libressl-3.0.2 }
           - { os: ubuntu-latest, configs: libressl-3.2.6 }
           - { os: ubuntu-latest, configs: libressl-3.3.4 }
-          - { os: ubuntu-latest, configs: libressl-3.4.0 }
+          - { os: ubuntu-latest, configs: libressl-3.4.1 }
           - { os: ubuntu-latest, configs: openssl-master }
           - { os: ubuntu-latest, configs: openssl-noec }
           - { os: ubuntu-latest, configs: openssl-1.0.1 }
@@ -46,7 +58,8 @@ jobs:
           - { os: ubuntu-latest, configs: openssl-1.1.1_stable } # stable branch
           - { os: ubuntu-latest, configs: openssl-3.0 }          # stable branch
           - { os: ubuntu-18.04, configs: pam }
-          - { os: ubuntu-18.04, configs: kerberos5 }
+          - { os: ubuntu-18.04, configs: krb5 }
+          - { os: ubuntu-18.04, configs: heimdal }
           - { os: ubuntu-18.04, configs: libedit }
           - { os: ubuntu-18.04, configs: sk }
           - { os: ubuntu-18.04, configs: selinux }
@@ -63,6 +76,13 @@ jobs:
       run: autoreconf
     - name: configure
       run: ./.github/configure.sh ${{ matrix.configs }}
+    - name: save config
+      uses: actions/upload-artifact@v2
+      with:
+        name: ${{ matrix.os }}-${{ matrix.configs }}-config
+        path: config.h
+    - name: make clean
+      run: make clean
     - name: make
       run: make -j2
     - name: make tests
diff --git a/crypto/openssh/.github/workflows/selfhosted.yml b/crypto/openssh/.github/workflows/selfhosted.yml
index df6eca714fb5..09f7af939912 100644
--- a/crypto/openssh/.github/workflows/selfhosted.yml
+++ b/crypto/openssh/.github/workflows/selfhosted.yml
@@ -17,6 +17,7 @@ jobs:
       matrix:
         os:
           - ARM64
+          - alpine
           - bbone
           - dfly30
           - dfly48
@@ -26,7 +27,7 @@ jobs:
           - fbsd10
           - fbsd12
           - fbsd13
-          - hurd
+          # - hurd
           - minix3
           # - nbsd2
           - nbsd3
@@ -35,8 +36,8 @@ jobs:
           - nbsd9
           - obsd51
           - obsd67
-          - obsd68
           - obsd69
+          - obsd70
           - obsdsnap
           - openindiana
           # - rocky84
@@ -64,6 +65,7 @@ jobs:
           - { os: sol11,  configs: pam-krb5 }
           - { os: sol11,  configs: sol64 }
           # - { os: sol11,  configs: sol64-pam }
+          - { os: win10,  configs: cygwin-release }
     steps:
     - uses: actions/checkout@v2
     - name: autoreconf
@@ -74,10 +76,18 @@ jobs:
       run: vmstartup
     - name: configure
       run: vmrun ./.github/configure.sh ${{ matrix.configs }}
+    - name: save config
+      uses: actions/upload-artifact@v2
+      with:
+        name: ${{ matrix.os }}-${{ matrix.configs }}-config
+        path: config.h
+    - name: make clean
+      run: vmrun make clean
     - name: make
       run: vmrun make
     - name: make tests
       run: vmrun ./.github/run_test.sh ${{ matrix.configs }}
+      timeout-minutes: 300
     - name: save logs
       if: failure()
       uses: actions/upload-artifact@v2
diff --git a/crypto/openssh/.github/workflows/upstream.yml b/crypto/openssh/.github/workflows/upstream.yml
index f0493c12d7d5..b91083c65184 100644
--- a/crypto/openssh/.github/workflows/upstream.yml
+++ b/crypto/openssh/.github/workflows/upstream.yml
@@ -13,7 +13,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ obsdsnap, obsdsnap-i386, obsd69, obsd68 ]
+        os: [ obsdsnap, obsdsnap-i386 ]
         configs: [ default, without-openssl ]
     steps:
     - uses: actions/checkout@v2
@@ -31,6 +31,7 @@ jobs:
       run: vmrun "cd /usr/src/usr.bin/ssh && sudo make install"
     - name: make tests
       run: vmrun "cd /usr/src/regress/usr.bin/ssh && make obj && make clean && if test '${{ matrix.configs }}' = 'without-openssl'; then make SUDO=sudo OPENSSL=no; else make SUDO=sudo; fi"
+      timeout-minutes: 300
     - name: save logs
       if: failure()
       uses: actions/upload-artifact@v2
diff --git a/crypto/openssh/.skipped-commit-ids b/crypto/openssh/.skipped-commit-ids
index 1de78172232a..c606eaee6c51 100644
--- a/crypto/openssh/.skipped-commit-ids
+++ b/crypto/openssh/.skipped-commit-ids
@@ -23,6 +23,7 @@ d9b910e412d139141b072a905e66714870c38ac0	Makefile.inc
 07b5031e9f49f2b69ac5e85b8da4fc9e393992a0	Makefile.inc
 cc12a9029833d222043aecd252d654965c351a69	moduli-gen Makefile
 7ac6c252d2a5be8fbad4c66d9d35db507c9dac5b	moduli update
+6b52cd2b637f3d29ef543f0ce532a2bce6d86af5	makefile change
 
 Old upstream tree:
 
diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog
index 9e660ec37ef3..c225b94dfd3e 100644
--- a/crypto/openssh/ChangeLog
+++ b/crypto/openssh/ChangeLog
@@ -1,13611 +1,11979 @@
-commit bf944e3794eff5413f2df1ef37cddf96918c6bde
+commit 166456cedad3962b83b848b1e9caf80794831f0f
 Author: Damien Miller <djm@mindrot.org>
-Date:   Mon Sep 27 00:03:19 2021 +1000
+Date:   Wed Feb 23 22:31:11 2022 +1100
 
-    initgroups needs grp.h
+    makedepend
 
-commit 8c5b5655149bd76ea21026d7fe73ab387dbc3bc7
+commit 32ebaa0dbca5d0bb86e384e72bebc153f48413e4
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sun Sep 26 14:01:11 2021 +0000
+Date:   Wed Feb 23 11:18:13 2022 +0000
 
-    upstream: openssh-8.8
+    upstream: avoid integer overflow of auth attempts (harmless, caught
     
-    OpenBSD-Commit-ID: 12357794602ac979eb7312a1fb190c453f492ec4
+    by monitor)
+    
+    OpenBSD-Commit-ID: 488ad570b003b21e0cd9e7a00349cfc1003b4d86
 
-commit f3cbe43e28fe71427d41cfe3a17125b972710455
+commit 6e0258c64c901753df695e06498b26f9f4812ea6
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sun Sep 26 14:01:03 2021 +0000
+Date:   Wed Feb 23 11:17:10 2022 +0000
 
-    upstream: need initgroups() before setresgid(); reported by anton@,
+    upstream: randomise the password used in fakepw
     
-    ok deraadt@
+    OpenBSD-Commit-ID: 34e159f73b1fbf0a924a9c042d8d61edde293947
+
+commit bf114d6f0a9df0b8369823d9a0daa6c72b0c4cc9
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Feb 23 11:15:57 2022 +0000
+
+    upstream: use asprintf to construct .rhosts paths
     
-    OpenBSD-Commit-ID: 6aa003ee658b316960d94078f2a16edbc25087ce
+    OpenBSD-Commit-ID: 8286e8d3d2c6ff916ff13d041d1713073f738a8b
 
-commit 8acaff41f7518be40774c626334157b1b1c5583c
-Author: Damien Miller <djm@mindrot.org>
-Date:   Sun Sep 26 22:16:36 2021 +1000
+commit c07e154fbdc7285e9ec54e78d8a31f7325d43537
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Feb 23 11:07:09 2022 +0000
 
-    update version numbers for release
+    upstream: openssh-8.9
+    
+    OpenBSD-Commit-ID: 5c5f791c87c483cdab6d9266b43acdd9ca7bde0e
 
-commit d39039ddc0010baa91c70a0fa0753a2699bbf435
-Author: kn@openbsd.org <kn@openbsd.org>
-Date:   Sat Sep 25 09:40:33 2021 +0000
+commit bc16667b4a1c3cad7029304853c143a32ae04bd4
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Tue Feb 22 15:29:22 2022 +1100
 
-    upstream: RSA/SHA-1 is not used by default anymore
+    Extend select+rlimit sanbox test to include poll.
     
-    OK dtucker deraadt djm
+    POSIX specifies that poll() shall fail if "nfds argument is greater
+    than {OPEN_MAX}".  The setrlimit sandbox sets this to effectively zero
+    so this causes poll() to fail in the preauth privsep process.
     
-    OpenBSD-Commit-ID: 055c51a221c3f099dd75c95362f902da1b8678c6
+    This is likely the underlying cause for the previously observed similar
+    behaviour of select() on plaforms where it is implement in userspace on
+    top of poll().
 
-commit 9b2ee74e3aa8c461eb5552a6ebf260449bb06f7e
+commit 6520c488de95366be031d49287ed243620399e23
 Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Sep 24 11:08:03 2021 +1000
+Date:   Tue Feb 22 13:08:59 2022 +1100
 
-    Move the fgrep replacement to hostkey-rotate.sh.
-    
-    The fgrep replacement for buggy greps doesn't work in the sftp-glob test
-    so move it to just where we know it's needed.
+    Add Alpine Linux test VM.
 
-commit f7039541570d4b66d76e6f574544db176d8d5c02
+commit a4b325a3fc82d11e0f5d61f62e7fde29415f7afb
 Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Sep 24 08:04:14 2021 +1000
+Date:   Tue Feb 22 12:27:07 2022 +1100
 
-    Replacement function for buggy fgrep.
+    Include sys/param.h if present.
     
-    GNU (f)grep <=2.18, as shipped by FreeBSD<=12 and NetBSD<=9 will
-    occasionally fail to find ssh host keys in the hostkey-rotate test.
-    If we have those versions, use awk instead.
+    Needed for howmany() on MUSL systems such as Alpine.
 
-commit f6a660e5bf28a01962af87568e118a2d2e79eaa0
-Author: David Manouchehri <david.manouchehri@riseup.net>
-Date:   Thu Sep 23 17:03:18 2021 -0400
+commit 5a102e9cb287a43bd7dfe594b775a89a8e94697c
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Tue Feb 22 12:25:52 2022 +1100
 
-    Don't prompt for yes/no questions.
+    Only include sys/poll.h if we don't have poll.h.
+    
+    Prevents warnings on MUSL based systems such as Alpine.
 
-commit 7ed1a3117c09f8c3f1add35aad77d3ebe1b85b4d
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Sep 20 06:53:56 2021 +0000
+commit 7c0d4ce911d5c58b6166b2db754a4e91f352adf5
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Feb 22 11:14:51 2022 +1100
 
-    upstream: fix missing -s in SYNOPSYS and usage() as well as a
+    disable agent-restrict test on minix3
     
-    capitalisation mistake; spotted by jmc@
+    Minix seems to have a platform-wide limit on the number of
+    select(2) syscalls that can be concurrently issued. This test
+    seems to exceed this limit.
     
-    OpenBSD-Commit-ID: 0ed8ee085c7503c60578941d8b45f3a61d4c9710
+    Refer to:
+    
+    https://github.com/Stichting-MINIX-Research-Foundation/minix/blob/R3.3.0/minix/servers/vfs/select.c#L114
+    https://github.com/Stichting-MINIX-Research-Foundation/minix/blob/R3.3.0/minix/servers/vfs/select.c#L30-L31
 
-commit 8c07170135dde82a26886b600a8bf6fb290b633d
+commit 81d33d8e3cf7ea5ce3a5653c6102b623e019428a
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Mon Feb 21 21:27:20 2022 +1100
+
+    Skip agent-getpeereid when running as root.
+
+commit fbd772570a25436a33924d91c164d2b24021f010
 Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon Sep 20 04:02:13 2021 +0000
+Date:   Sun Feb 20 03:47:26 2022 +0000
 
-    upstream: Fix "Allocated port" debug message
+    upstream: Aproximate realpath on the expected output by deduping
     
-    for unix domain sockets. From peder.stray at gmail.com via github PR#272,
-    ok deraadt@
+    leading slashes. Fixes test failure when user's home dir is / which is
+    possible in some portable configurations.
     
-    OpenBSD-Commit-ID: 8d5ef3fbdcdd29ebb0792b5022a4942db03f017e
+    OpenBSD-Regress-ID: 53b8c53734f8893806961475c7106397f98d9f63
 
-commit 277d3c6adfb128b4129db08e3d65195d94b55fe7
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Sep 20 01:55:42 2021 +0000
+commit 336685d223a59f893faeedf0a562e053fd84058e
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Sun Feb 20 13:30:52 2022 +1100
 
-    upstream: Switch scp back to use the old protocol by default, ahead of
-    
-    release. We'll wait a little longer for people to pick up sftp-server(8) that
-    supports the extension that scp needs for ~user paths to continue working in
-    SFTP protocol mode. Discussed with deraadt@
+    Really move DSA to end of list.
     
-    OpenBSD-Commit-ID: f281f603a705fba317ff076e7b11bcf2df941871
+    In commit ad16a84e syncing from OpenBSD, RSA was accidentally moved to
+    the end of the list instead of DSA.  Spotted by andrew at fyfe.gb.net.
 
-commit ace19b34cc15bea3482be90450c1ed0cd0dd0669
+commit 63bf4f49ed2fdf2da6f97136c9df0c8168546eb3
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Fri Feb 18 12:12:21 2022 +1100
+
+    Add test configs for MUSL C library.
+
+commit f7fc6a43f1173e8b2c38770bf6cee485a562d03b
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Feb 17 22:54:19 2022 +1100
+
+    minix needs BROKEN_POLL too; chokes on /dev/null
+
+commit 667fec5d4fe4406745750a32f69b5d2e1a75e94b
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Sep 18 02:03:25 2021 +0000
+Date:   Thu Feb 17 10:58:27 2022 +0000
 
-    upstream: better error message for ~user failures when the
+    upstream: check for EINTR/EAGAIN failures in the rfd fast-path; caught
     
-    sftp-server lacks the expand-path extension; ok deraadt@
+    by dtucker's minix3 vm :) ok dtucker@
     
-    OpenBSD-Commit-ID: 9c1d965d389411f7e86f0a445158bf09b8f9e4bc
+    OpenBSD-Commit-ID: 2e2c895a3e82ef347aa6694394a76a438be91361
 
-commit 6b1238ba971ee722a310d95037b498ede5539c03
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Sep 16 15:22:22 2021 +0000
+commit 41417dbda9fb55a0af49a8236e3ef9d50d862644
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Thu Feb 17 22:05:29 2022 +1100
 
-    upstream: make some more scp-in-SFTP mode better match Unix idioms
-    
-    suggested by deraadt@
+    Comment hurd test, the VM is currently broken.
+
+commit b2aee35a1f0dc798339b3fcf96136da71b7e3f6d
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Feb 17 21:15:16 2022 +1100
+
+    find sk-dummy.so when build_dir != src_dir
     
-    OpenBSD-Commit-ID: 0f2439404ed4cf0b0be8bf49a1ee734836e1ac87
+    spotted by Corinna Vinschen; feedback & ok dtucker@
 
-commit e694f8ac4409931e67d08ac44ed251b20b10a957
+commit 62a2d4e50b2e89f2ef04576931895d5139a5d037
+Author: Damien Miller <djm@mindrot.org>
+Date:   Wed Feb 16 16:26:17 2022 +1100
+
+    update versions in preparation for 8.9 release
+
+commit dd6d3dded721ac653ea73c017325e5bfeeec837f
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Sep 16 15:11:19 2021 +0000
+Date:   Tue Feb 15 05:13:36 2022 +0000
 
-    upstream: allow log_stderr==2 to prefix log messages with argv[0]
+    upstream: document the unbound/host-bound options to
     
-    use this to make scp's SFTP mode error messages more scp-like
+    PubkeyAuthentication; spotted by HARUYAMA Seigo
     
-    prompted by and ok deraadt@
+    OpenBSD-Commit-ID: 298f681b66a9ecd498f0700082c7a6c46e948981
+
+commit df93529dd727fdf2fb290700cd4f1adb0c3c084b
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Mon Feb 14 14:19:40 2022 +1100
+
+    Test if sshd accidentally acquires controlling tty
     
-    OpenBSD-Commit-ID: 0e821dbde423fc2280e47414bdc22aaa5b4e0733
+    When SSHD_ACQUIRES_CTTY is defined, test for the problematic behaviour
+    in the STREAMS code before activating the workaround.  ok djm@
 
-commit 8a7a06ee505cb833e613f74a07392e9296286c30
+commit 766176cfdbfd7ec38bb6118dde6e4daa0df34888
 Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Sep 17 13:03:31 2021 +1000
+Date:   Sat Feb 12 10:24:56 2022 +1100
 
-    Test against LibreSSL 3.2.6, 3.3.4, 3.4.0.
+    Add cygwin-release test config.
+    
+    This tests the flags used to build the cygwin release binaries.
 
-commit c25c84074a47f700dd6534995b4af4b456927150
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Thu Sep 16 05:36:03 2021 +0000
+commit b30698662b862f5397116d23688aac0764e0886e
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Fri Feb 11 21:00:35 2022 +1100
 
-    upstream: missing space character in ssh -G output broke the
+    Move SSHD_ACQUIRES_CTTY workaround into compat.
     
-    t-sshcfgparse regression test; spotted by anton@
+    On some (most? all?) SysV based systems with STREAMS based ptys,
+    sshd could acquire a controlling terminal during pty setup when
+    it pushed the "ptem" module, due to what is probably a bug in
+    the STREAMS driver that's old enough to vote.  Because it was the
+    privileged sshd's controlling terminal, it was not available for
+    the user's session, which ended up without one.  This is known to
+    affect at least Solaris <=10, derivatives such as OpenIndiana and
+    several other SysV systems.  See bz#245 for the backstory.
     
-    OpenBSD-Commit-ID: bcc36fae2f233caac4baa8e58482da4aa350eed0
+    In the we past worked around that by not calling setsid in the
+    privileged sshd child, which meant it was not a session or process
+    group leader.  This solved controlling terminal problem because sshd
+    was not eligble to acquire one, but had other side effects such as
+    not cleaning up helper subprocesses in the SIGALRM handler since it
+    was not PG leader.  Recent cleanups in the signal handler uncovered
+    this, resulting in the LoginGraceTime timer not cleaning up privsep
+    unprivileged processes.
+    
+    This change moves the workaround into the STREAMS pty allocation code,
+    by allocating a sacrificial pty to act as sshd's controlling terminal
+    before allocating user ptys, so those are still available for users'
+    sessions.
+    
+    On the down side:
+     - this will waste a pty per ssh connection on affected platforms.
+    
+    On the up side:
+     - it makes the process group behaviour consistent between platforms.
+    
*** 37455 LINES SKIPPED ***