git: 50cb877af1fb - releng/12.4 - ssh: update to OpenSSH 9.1p1

From: Ed Maste <emaste_at_FreeBSD.org>
Date: Mon, 31 Oct 2022 17:18:16 UTC
The branch releng/12.4 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=50cb877af1fb6de40baa305dca93afdbd4de6568

commit 50cb877af1fb6de40baa305dca93afdbd4de6568
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2022-10-19 14:27:11 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-10-31 17:15:47 +0000

    ssh: update to OpenSSH 9.1p1
    
    Release notes are available at https://www.openssh.com/txt/release-9.1
    
    9.1 contains fixes for three minor memory safety problems; these have
    lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base
    system.
    
    Some highlights copied from the release notes:
    
    Potentially-incompatible changes
    --------------------------------
    
     * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config
       are now first-match-wins to match other directives. Previously
       if an environment variable was multiply specified the last set
       value would have been used. bz3438
    
     * ssh-keygen(8): ssh-keygen -A (generate all default host key types)
       will no longer generate DSA keys, as these are insecure and have
       not been used by default for some years.
    
    New features
    ------------
    
     * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum
       RSA key length. Keys below this length will be ignored for user
       authentication and for host authentication in sshd(8).
    
     * sftp-server(8): add a "users-groups-by-id@openssh.com" extension
       request that allows the client to obtain user/group names that
       correspond to a set of uids/gids.
    
     * sftp(1): use "users-groups-by-id@openssh.com" sftp-server
       extension (when available) to fill in user/group names for
       directory listings.
    
     * sftp-server(8): support the "home-directory" extension request
       defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps
       a bit with the existing "expand-path@openssh.com", but some other
       clients support it.
    
     * ssh-keygen(1), sshd(8): allow certificate validity intervals,
       sshsig verification times and authorized_keys expiry-time options
       to accept dates in the UTC time zone in addition to the default
       of interpreting them in the system time zone. YYYYMMDD and
       YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed
       with a 'Z' character.
    
       Also allow certificate validity intervals to be specified in raw
       seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
       is intended for use by regress tests and other tools that call
       ssh-keygen as part of a CA workflow. bz3468
    
     * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
       "/usr/libexec/sftp-server -el debug3"
    
     * ssh-keygen(1): allow the existing -U (use agent) flag to work
       with "-Y sign" operations, where it will be interpreted to require
       that the private keys is hosted in an agent; bz3429
    
    MFC after:      2 weeks
    Relnotes:       Yes
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit 38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3)
    (cherry picked from commit ac5c465b9fdff74d1a73f63d157820887ff1787f)
    (cherry picked from commit 4aee71578a60981de9296451b7a995b180ae23db)
    
    Approved by:    re (gjb)
---
 crypto/openssh/.depend                             |     5 +-
 crypto/openssh/.git_allowed_signers                |     5 +
 crypto/openssh/.git_allowed_signers.asc            |    16 +
 crypto/openssh/.github/configs                     |    75 +-
 crypto/openssh/.github/configure.sh                |     2 +-
 crypto/openssh/.github/run_test.sh                 |    14 +
 crypto/openssh/.github/setup_ci.sh                 |    63 +-
 crypto/openssh/.github/workflows/c-cpp.yml         |    60 +-
 crypto/openssh/.github/workflows/selfhosted.yml    |    12 +-
 crypto/openssh/.github/workflows/upstream.yml      |    13 +-
 crypto/openssh/.skipped-commit-ids                 |     1 +
 crypto/openssh/ChangeLog                           | 15789 +++++++++----------
 crypto/openssh/INSTALL                             |     7 +-
 crypto/openssh/LICENCE                             |     1 +
 crypto/openssh/Makefile.in                         |    67 +-
 crypto/openssh/PROTOCOL                            |    65 +-
 crypto/openssh/PROTOCOL.agent                      |     6 +-
 crypto/openssh/PROTOCOL.key                        |    12 +-
 crypto/openssh/README                              |     2 +-
 crypto/openssh/README.md                           |     8 +-
 crypto/openssh/addr.c                              |     4 +-
 crypto/openssh/auth.c                              |   155 +-
 crypto/openssh/auth.h                              |    26 +-
 crypto/openssh/auth2-hostbased.c                   |     7 +-
 crypto/openssh/auth2-passwd.c                      |    10 +-
 crypto/openssh/auth2-pubkey.c                      |   357 +-
 crypto/openssh/auth2-pubkeyfile.c                  |   501 +
 crypto/openssh/authfd.c                            |     3 +-
 crypto/openssh/authfile.c                          |    19 +-
 crypto/openssh/channels.c                          |    43 +-
 crypto/openssh/channels.h                          |     4 +-
 crypto/openssh/cipher-ctr.c                        |   146 -
 crypto/openssh/cipher.c                            |    13 -
 crypto/openssh/clientloop.c                        |    14 +-
 crypto/openssh/compat.c                            |    15 +-
 crypto/openssh/config.h                            |    46 +-
 crypto/openssh/configure.ac                        |   317 +-
 crypto/openssh/contrib/redhat/openssh.spec         |     2 +-
 crypto/openssh/contrib/suse/openssh.spec           |     2 +-
 crypto/openssh/int32_minmax.inc                    |     0
 crypto/openssh/krl.c                               |     4 +-
 crypto/openssh/misc.c                              |    43 +-
 crypto/openssh/misc.h                              |     4 +-
 crypto/openssh/moduli                              |   801 +-
 crypto/openssh/moduli.5                            |     9 +-
 crypto/openssh/moduli.c                            |    14 +-
 crypto/openssh/monitor.c                           |     2 +-
 crypto/openssh/monitor_wrap.c                      |     2 +-
 crypto/openssh/monitor_wrap.h                      |     4 +-
 crypto/openssh/mux.c                               |    11 +-
 crypto/openssh/openbsd-compat/Makefile.in          |    10 +-
 crypto/openssh/openbsd-compat/arc4random.c         |   284 +-
 crypto/openssh/openbsd-compat/arc4random.h         |    79 +
 crypto/openssh/openbsd-compat/arc4random_uniform.c |    64 +
 crypto/openssh/openbsd-compat/bsd-asprintf.c       |     1 +
 crypto/openssh/openbsd-compat/bsd-getentropy.c     |    82 +
 crypto/openssh/openbsd-compat/bsd-misc.c           |    12 +
 crypto/openssh/openbsd-compat/bsd-timegm.c         |    82 +
 crypto/openssh/openbsd-compat/getcwd.c             |     5 +-
 crypto/openssh/openbsd-compat/openbsd-compat.h     |    23 +-
 crypto/openssh/openbsd-compat/openssl-compat.h     |    25 -
 crypto/openssh/packet.c                            |     4 +-
 crypto/openssh/readconf.c                          |    60 +-
 crypto/openssh/readconf.h                          |    12 +-
 crypto/openssh/readpass.c                          |     5 +-
 crypto/openssh/regress/agent-ptrace.sh             |     2 +-
 crypto/openssh/regress/envpass.sh                  |    67 +-
 crypto/openssh/regress/forward-control.sh          |    51 +-
 crypto/openssh/regress/misc/fuzz-harness/Makefile  |     5 +-
 .../regress/misc/fuzz-harness/authkeys_fuzz.cc     |    81 +
 crypto/openssh/regress/misc/sk-dummy/sk-dummy.c    |     2 +-
 crypto/openssh/regress/multiplex.sh                |    16 +-
 crypto/openssh/regress/scp.sh                      |    27 +-
 crypto/openssh/regress/scp3.sh                     |     6 +
 crypto/openssh/regress/sftp-cmds.sh                |     7 +-
 crypto/openssh/regress/test-exec.sh                |    41 +-
 .../openssh/regress/unittests/misc/test_convtime.c |    64 +-
 crypto/openssh/sandbox-capsicum.c                  |     4 +
 crypto/openssh/sandbox-seccomp-filter.c            |    15 +-
 crypto/openssh/scp.1                               |     5 +-
 crypto/openssh/scp.c                               |    12 +-
 crypto/openssh/servconf.c                          |    19 +-
 crypto/openssh/servconf.h                          |     3 +-
 crypto/openssh/serverloop.c                        |     5 +-
 crypto/openssh/sftp-client.c                       |   215 +-
 crypto/openssh/sftp-client.h                       |    26 +-
 crypto/openssh/sftp-common.c                       |    18 +-
 crypto/openssh/sftp-common.h                       |     5 +-
 crypto/openssh/sftp-server-main.c                  |     2 -
 crypto/openssh/sftp-server.c                       |    94 +-
 crypto/openssh/sftp-usergroup.c                    |   239 +
 crypto/openssh/sftp-usergroup.h                    |    25 +
 crypto/openssh/sftp.1                              |    11 +-
 crypto/openssh/sftp.c                              |   204 +-
 crypto/openssh/sk-api.h                            |     6 +-
 crypto/openssh/sk-usbhid.c                         |   115 +-
 crypto/openssh/ssh-add.c                           |     6 +-
 crypto/openssh/ssh-agent.c                         |    24 +-
 crypto/openssh/ssh-ed25519.c                       |     8 +-
 crypto/openssh/ssh-keygen.1                        |   224 +-
 crypto/openssh/ssh-keygen.c                        |   186 +-
 crypto/openssh/ssh-keyscan.1                       |    10 +-
 crypto/openssh/ssh-pkcs11-helper.8                 |    23 +-
 crypto/openssh/ssh-sk-helper.8                     |    23 +-
 crypto/openssh/ssh-sk-helper.c                     |     3 +-
 crypto/openssh/ssh-sk.c                            |     7 +-
 crypto/openssh/ssh-xmss.c                          |     4 +-
 crypto/openssh/ssh.1                               |    12 +-
 crypto/openssh/ssh.c                               |    30 +-
 crypto/openssh/ssh_config.5                        |    25 +-
 crypto/openssh/ssh_namespace.h                     |     3 +-
 crypto/openssh/sshbuf-getput-basic.c               |     2 +-
 crypto/openssh/sshbuf-getput-crypto.c              |     2 +-
 crypto/openssh/sshbuf.c                            |     9 +-
 crypto/openssh/sshbuf.h                            |     2 +-
 crypto/openssh/sshconnect.c                        |     6 +-
 crypto/openssh/sshconnect2.c                       |    74 +-
 crypto/openssh/sshd.8                              |    12 +-
 crypto/openssh/sshd.c                              |    34 +-
 crypto/openssh/sshd_config                         |     2 +-
 crypto/openssh/sshd_config.5                       |    24 +-
 crypto/openssh/sshkey.c                            |    96 +-
 crypto/openssh/sshkey.h                            |     3 +-
 crypto/openssh/sshlogin.c                          |     1 +
 crypto/openssh/version.h                           |     6 +-
 crypto/openssh/xmss_hash.c                         |     5 +-
 secure/lib/libssh/Makefile                         |     2 +-
 secure/usr.bin/sftp/Makefile                       |     3 +-
 secure/usr.sbin/sshd/Makefile                      |     2 +-
 129 files changed, 11441 insertions(+), 10373 deletions(-)

diff --git a/crypto/openssh/.depend b/crypto/openssh/.depend
index cd38d15f8f52..fca83a67c970 100644
--- a/crypto/openssh/.depend
+++ b/crypto/openssh/.depend
@@ -27,6 +27,7 @@ auth2-none.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-co
 auth2-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h ssherr.h log.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h monitor_wrap.h misc.h servconf.h
 auth2-pubkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h kex.h mac.h crypto_api.h sshbuf.h log.h ssherr.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
 auth2-pubkey.o: pathnames.h uidswap.h auth-options.h canohost.h monitor_wrap.h authfile.h match.h channels.h session.h sk-api.h
+auth2-pubkeyfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh.h log.h ssherr.h misc.h compat.h sshkey.h digest.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h authfile.h match.h
 auth2.o: digest.h
 auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h monitor_wrap.h
 authfd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h sshbuf.h sshkey.h authfd.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h compat.h log.h ssherr.h atomicio.h misc.h
@@ -39,7 +40,6 @@ cipher-aes.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-co
 cipher-aesctr.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher-aesctr.h rijndael.h
 cipher-chachapoly-libcrypto.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 cipher-chachapoly.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h sshbuf.h cipher-chachapoly.h chacha.h poly1305.h
-cipher-ctr.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 cipher.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h misc.h sshbuf.h ssherr.h digest.h openbsd-compat/openssl-compat.h
 cleanup.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h
 clientloop.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h packet.h dispatch.h sshbuf.h compat.h channels.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h
@@ -122,7 +122,8 @@ sftp-glob.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-com
 sftp-realpath.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 sftp-server-main.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h sftp.h misc.h xmalloc.h
 sftp-server.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h sshbuf.h ssherr.h log.h misc.h match.h uidswap.h sftp.h sftp-common.h
-sftp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h ssherr.h pathnames.h misc.h utf8.h sftp.h sshbuf.h sftp-common.h sftp-client.h openbsd-compat/glob.h
+sftp-usergroup.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h log.h ssherr.h xmalloc.h sftp-common.h sftp-client.h openbsd-compat/glob.h sftp-usergroup.h
+sftp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h ssherr.h pathnames.h misc.h utf8.h sftp.h sshbuf.h sftp-common.h sftp-client.h openbsd-compat/glob.h sftp-usergroup.h
 sk-usbhid.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 sntrup761.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 srclimit.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h addr.h canohost.h log.h ssherr.h misc.h srclimit.h xmalloc.h
diff --git a/crypto/openssh/.git_allowed_signers b/crypto/openssh/.git_allowed_signers
new file mode 100644
index 000000000000..0313c1ecd17f
--- /dev/null
+++ b/crypto/openssh/.git_allowed_signers
@@ -0,0 +1,5 @@
+dtucker@dtucker.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKecyjh9aNmD4rb8WblA8v91JjRb0Cd2JtkzqxcggGeG
+djm@mindrot.org sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBLnJo3ZVDENYZGXm5uO9lU7b0iDFq5gHpTu1MaHPWTEfPdvw+AjFQQ/q5YizuMJkXGsMdYmblJEJZYHpm9IS7ZkAAAAEc3NoOg==
+djm@mindrot.org sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBJoAXBTQalfg+kC5wy1vE7HkIHtVnmV6AUuuIo9KQ1P+70juHwvsFKpsGaqQbrHJkTVgYDGVP02XHj8+Fb18yBIAAAAEc3NoOg==
+djm@mindrot.org sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBH+z1I48s6ydOhP5SJmI02zVCLf0K15B+UMHgoTIKVfUIv5oDoVX7e9f+7QiRmTeEOdZfQydiaVqsfi7qPSve+0AAAAEc3NoOg==
+djm@mindrot.org sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBPM4BmUg/fMnsl42JwktTekk/mB8Be3M+yK2ayg6lqYsqEri8yhRx84gey51OHKVk1TwlGbJjcMHI4URreDBEMQAAAAEc3NoOg==
diff --git a/crypto/openssh/.git_allowed_signers.asc b/crypto/openssh/.git_allowed_signers.asc
new file mode 100644
index 000000000000..5fc6118ca9a6
--- /dev/null
+++ b/crypto/openssh/.git_allowed_signers.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmMMMiIACgkQKj9BTnNg
+YLpyGhAAhZ1RxmD62JnT0gnor1aD0inq1fGPRadaFvXH2OScPcxXMIZWx+otnyZ/
+H9s0bIti42dPHqurgh92KS2mDGVIW8Y8MvxFUr678+hdem1U7Xvjoo0uaveNhJhe
+GxuQDOvXKRmmfL2c6w3wnFChFA1o3K+JNshjCHhWz7u6+UmY0Q9yIxqbSi+vmEPP
+NfWPfGdu4h8r7q11UgTxRSUQkfZXMqpBtb367B9BLduGuKRFKEJNyi6WpjBrqy38
+BvEbAaL52KX8hEp3TKMjo38RbOK+veSoPV5zlLui0WlEwwasgljal3f4RkqCAJob
+hqpFJRogM5XNnA2e68TDTf3buJ3wRRjuK39/CusOJz5v4i6+VCdte+BET1Y4gD6y
+v8KV4pRyumcdbN3khFUkmaQsjo+fyQjWNrgOvv60J2xUWZdchn8lxHOxrfRVKnOi
+BD4bdks7tPQY/XsS5GNJIp21Ji9HGyBajjHo0BlesLodw7FEOf6YE18A3n9qzosR
+RliuP4Hs/Z4sCUuDTbpKtQiUVs40kBbkhEL8kS8FsXz3VO89hAWaUqNUYom8AkKv
+nfDjrZDBLXuVj1Mi8qNPXxqrB/1Cza2/W4U7SK4TlMFXfoXXWxxhefN5vIdMhAJB
+u9Mdz1pY9mowKbd0c0dR+3fauvjM133dzKuyeDHMqDa5JPyd59o=
+=kgnS
+-----END PGP SIGNATURE-----
diff --git a/crypto/openssh/.github/configs b/crypto/openssh/.github/configs
index 871a3d414d94..6bf1ab27f0ca 100755
--- a/crypto/openssh/.github/configs
+++ b/crypto/openssh/.github/configs
@@ -10,6 +10,8 @@
 
 config=$1
 
+unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
+
 TEST_TARGET="tests"
 LTESTS=""
 SKIP_LTESTS=""
@@ -32,7 +34,9 @@ case "$config" in
 	TEST_TARGET=t-exec
 	;;
     cygwin-release)
-	CONFIGFLAGS="--with-libedit --with-xauth=/usr/bin/xauth --disable-strip --with-security-key-builtin"
+	# See https://cygwin.com/git/?p=git/cygwin-packages/openssh.git;a=blob;f=openssh.cygport;hb=HEAD
+	CONFIGFLAGS="--with-xauth=/usr/bin/xauth --with-security-key-builtin"
+	CONFIGFLAGS="$CONFIGFLAGS --with-kerberos5=/usr --with-libedit --disable-strip"
 	;;
    clang-12-Werror)
 	CC="clang-12"
@@ -41,6 +45,57 @@ case "$config" in
 	CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter"
 	CONFIGFLAGS="--with-pam --with-Werror"
 	;;
+    *-sanitize-*)
+	case "$config" in
+	gcc-*)
+		CC=gcc
+		;;
+	clang-*)
+		# Find the newest available version of clang
+		for i in `seq 10 99`; do
+		    clang="`which clang-$i 2>/dev/null`"
+		    [ -x "$clang" ] && CC="$clang"
+		done
+		;;
+	esac
+	# Put Sanitizer logs in regress dir.
+	SANLOGS=`pwd`/regress
+	# - We replace chroot with chdir so that the sanitizer in the preauth
+	#   privsep process can read /proc.
+	# - clang does not recognizes explicit_bzero so we use bzero
+	#   (see https://github.com/google/sanitizers/issues/1507
+	# - openssl and zlib trip ASAN.
+	# - sp_pwdp returned by getspnam trips ASAN, hence disabling shadow.
+	case "$config" in
+	*-sanitize-address)
+	    CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
+	    LDFLAGS="-fsanitize=address"
+	    CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -D_FORTIFY_SOURCE=0 -DASAN_OPTIONS=\"detect_leaks=0:log_path='$SANLOGS'/asan.log\"'
+	    CONFIGFLAGS=""
+	    TEST_TARGET="t-exec"
+	    ;;
+	clang-sanitize-memory)
+	    CFLAGS="-fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer"
+	    LDFLAGS="-fsanitize=memory"
+	    CPPFLAGS='-Dchroot=chdir -Dexplicit_bzero=bzero -DMSAN_OPTIONS=\"log_path='$SANLOGS'/msan.log\"'
+	    CONFIGFLAGS="--without-openssl --without-zlib --without-shadow"
+	    TEST_TARGET="t-exec"
+	    ;;
+	*-sanitize-undefined)
+	    CFLAGS="-fsanitize=undefined"
+	    LDFLAGS="-fsanitize=undefined"
+	    ;;
+	*)
+	     echo unknown sanitize option;
+	     exit 1;;
+	esac
+	features="--disable-security-key --disable-pkcs11"
+	hardening="--without-sandbox --without-hardening --without-stackprotect"
+	privsep="--with-privsep-user=root"
+	CONFIGFLAGS="$CONFIGFLAGS $features $hardening $privsep"
+	# Because we hobble chroot we can't test it.
+	SKIP_LTESTS=sftp-chroot
+	;;
     gcc-11-Werror)
 	CC="gcc"
 	# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
@@ -107,14 +162,15 @@ case "$config" in
 	# Valgrind slows things down enough that the agent timeout test
 	# won't reliably pass, and the unit tests run longer than allowed
 	# by github so split into three separate tests.
-	tests2="rekey integrity try-ciphers sftp"
-	tests3="krl forward-control sshsig agent-restrict kextype"
+	tests2="rekey integrity try-ciphers"
+	tests3="krl forward-control sshsig agent-restrict kextype sftp"
 	tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
 	case "$config" in
 	    valgrind-1)
 		# All tests except agent-timeout (which is flaky under valgrind)
-		#) and slow ones that run separately to increase parallelism.
-		SKIP_LTESTS="agent-timeout ${tests2} ${tests3} ${tests4}"
+		# and hostbased (since valgrind won't let ssh exec keysign).
+		# Slow ones are run separately to increase parallelism.
+		SKIP_LTESTS="agent-timeout hostbased ${tests2} ${tests3} ${tests4}"
 		;;
 	    valgrind-2)
 		LTESTS="${tests2}"
@@ -201,10 +257,13 @@ case "${TARGET_HOST}" in
 	;;
 esac
 
-# Unless specified otherwise, build without OpenSSL on Mac OS since
-# modern versions don't ship with libcrypto.
 case "`./config.guess`" in
+*cygwin)
+	SUDO=""
+	;;
 *-darwin*)
+	# Unless specified otherwise, build without OpenSSL on Mac OS since
+	# modern versions don't ship with libcrypto.
 	LIBCRYPTOFLAGS="--without-openssl"
 	TEST_TARGET=t-exec
 	;;
@@ -227,5 +286,5 @@ if [ -x "$(which plink 2>/dev/null)" ]; then
 	export REGRESS_INTEROP_PUTTY
 fi
 
-export CC CFLAGS LTESTS SUDO
+export CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
 export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL
diff --git a/crypto/openssh/.github/configure.sh b/crypto/openssh/.github/configure.sh
index 502bf5f0d407..bd0037702d6a 100755
--- a/crypto/openssh/.github/configure.sh
+++ b/crypto/openssh/.github/configure.sh
@@ -18,4 +18,4 @@ if [ "x$LDFLAGS" != "x" ]; then
 fi
 
 echo ./configure ${CONFIGFLAGS}
-./configure ${CONFIGFLAGS}
+./configure ${CONFIGFLAGS} 2>&1
diff --git a/crypto/openssh/.github/run_test.sh b/crypto/openssh/.github/run_test.sh
index adf2568ad1e2..8eeaf5e9b09d 100755
--- a/crypto/openssh/.github/run_test.sh
+++ b/crypto/openssh/.github/run_test.sh
@@ -6,6 +6,20 @@
 
 set -ex
 
+# If we want to test hostbased auth, set up the host for it.
+if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then
+    sshconf=/usr/local/etc
+    hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null
+    echo "EnableSSHKeysign yes" | $SUDO tee $sshconf/ssh_config >/dev/null
+    $SUDO mkdir -p $sshconf
+    $SUDO cp -p /etc/ssh/ssh_host*key* $sshconf
+    $SUDO make install
+    for key in $sshconf/ssh_host*key*.pub; do
+        echo `hostname` `cat $key` | \
+            $SUDO tee -a $sshconf/ssh_known_hosts >/dev/null
+    done
+fi
+
 output_failed_logs() {
     for i in regress/failed*; do
         if [ -f "$i" ]; then
diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh
index a3bb8587eab1..044c4d1292b1 100755
--- a/crypto/openssh/.github/setup_ci.sh
+++ b/crypto/openssh/.github/setup_ci.sh
@@ -1,17 +1,30 @@
 #!/bin/sh
 
+PACKAGES=""
+
  . .github/configs $@
 
 case "`./config.guess`" in
+*cygwin)
+	PACKAGER=setup
+	echo Setting CYGWIN sustem environment variable.
+	setx CYGWIN "binmode"
+	chmod -R go-rw /cygdrive/d/a
+	umask 077
+	PACKAGES="$PACKAGES,autoconf,automake,cygwin-devel,gcc-core"
+	PACKAGES="$PACKAGES,make,openssl-devel,zlib-devel"
+	;;
 *-darwin*)
+	PACKAGER=brew
 	brew install automake
 	exit 0
 	;;
+*)
+	PACKAGER=apt
 esac
 
 TARGETS=$@
 
-PACKAGES=""
 INSTALL_FIDO_PPA="no"
 export DEBIAN_FRONTEND=noninteractive
 
@@ -19,7 +32,17 @@ export DEBIAN_FRONTEND=noninteractive
 
 set -ex
 
-lsb_release -a
+if [ -x "`which lsb_release 2>&1`" ]; then
+	lsb_release -a
+fi
+
+# Ubuntu 22.04 defaults to private home dirs which prevent the
+# agent-getpeerid test from running ssh-add as nobody.  See
+# https://github.com/actions/runner-images/issues/6106
+if [ ! -z "$SUDO" ] && ! "$SUDO" -u nobody test -x ~; then
+	echo ~ is not executable by nobody, adding perms.
+	chmod go+x ~
+fi
 
 if [ "${TARGETS}" = "kitchensink" ]; then
 	TARGETS="krb5 libedit pam sk selinux"
@@ -27,16 +50,24 @@ fi
 
 for flag in $CONFIGFLAGS; do
     case "$flag" in
-    --with-pam)		PACKAGES="${PACKAGES} libpam0g-dev" ;;
-    --with-libedit)	PACKAGES="${PACKAGES} libedit-dev" ;;
+    --with-pam)		TARGETS="${TARGETS} pam" ;;
+    --with-libedit)	TARGETS="${TARGETS} libedit" ;;
     esac
 done
 
 for TARGET in $TARGETS; do
     case $TARGET in
-    default|without-openssl|without-zlib|c89|libedit|*pam)
+    default|without-openssl|without-zlib|c89)
         # nothing to do
         ;;
+    clang-sanitize*)
+        PACKAGES="$PACKAGES clang-12"
+        ;;
+    cygwin-release)
+        PACKAGES="$PACKAGES libcrypt-devel libfido2-devel libkrb5-devel"
+        ;;
+    gcc-sanitize*)
+        ;;
     clang-*|gcc-*)
         compiler=$(echo $TARGET | sed 's/-Werror//')
         PACKAGES="$PACKAGES $compiler"
@@ -47,6 +78,15 @@ for TARGET in $TARGETS; do
     heimdal)
         PACKAGES="$PACKAGES heimdal-dev"
         ;;
+    libedit)
+	case "$PACKAGER" in
+	setup)	PACKAGES="$PACKAGES libedit-devel" ;;
+	apt)	PACKAGES="$PACKAGES libedit-dev" ;;
+	esac
+        ;;
+    *pam)
+        PACKAGES="$PACKAGES libpam0g-dev"
+        ;;
     sk)
         INSTALL_FIDO_PPA="yes"
         PACKAGES="$PACKAGES libfido2-dev libu2f-host-dev libcbor-dev"
@@ -99,9 +139,16 @@ if [ "yes" = "$INSTALL_FIDO_PPA" ]; then
     sudo apt-add-repository -y ppa:yubico/stable
 fi
 
-if [ "x" != "x$PACKAGES" ]; then 
-    sudo apt update -qq
-    sudo apt install -qy $PACKAGES
+if [ "x" != "x$PACKAGES" ]; then
+    case "$PACKAGER" in
+    apt)
+	sudo apt update -qq
+	sudo apt install -qy $PACKAGES
+	;;
+    setup)
+	/cygdrive/c/setup.exe -q -P `echo "$PACKAGES" | tr ' ' ,`
+	;;
+    esac
 fi
 
 if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then
diff --git a/crypto/openssh/.github/workflows/c-cpp.yml b/crypto/openssh/.github/workflows/c-cpp.yml
index b778c9804203..3cd1188fc572 100644
--- a/crypto/openssh/.github/workflows/c-cpp.yml
+++ b/crypto/openssh/.github/workflows/c-cpp.yml
@@ -2,9 +2,11 @@ name: C/C++ CI
 
 on:
   push:
-    branches: [ master, ci ]
+    branches: [ master, ci, V_9_0 ]
+    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', 'Makefile.in', 'configure.ac' ]
   pull_request:
     branches: [ master ]
+    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', 'Makefile.in', 'configure.ac' ]
 
 jobs:
   ci:
@@ -13,11 +15,13 @@ jobs:
       fail-fast: false
       matrix:
         # First we test all OSes in the default configuration.
-        os: [ubuntu-20.04, ubuntu-18.04, macos-10.15, macos-11.0]
+        os: [ubuntu-20.04, ubuntu-22.04, macos-11, macos-12, windows-2019, windows-2022]
         configs: [default]
         # Then we include any extra configs we want to test for specific VMs.
         # Valgrind slows things down quite a bit, so start them first.
         include:
+          - { os: windows-2019, configs: cygwin-release }
+          - { os: windows-2022, configs: cygwin-release }
           - { os: ubuntu-20.04, configs: valgrind-1 }
           - { os: ubuntu-20.04, configs: valgrind-2 }
           - { os: ubuntu-20.04, configs: valgrind-3 }
@@ -30,6 +34,10 @@ jobs:
           - { os: ubuntu-20.04, configs: clang-10 }
           - { os: ubuntu-20.04, configs: clang-11 }
           - { os: ubuntu-20.04, configs: clang-12-Werror }
+          - { os: ubuntu-20.04, configs: clang-sanitize-address }
+          - { os: ubuntu-20.04, configs: clang-sanitize-undefined }
+          - { os: ubuntu-20.04, configs: gcc-sanitize-address }
+          - { os: ubuntu-20.04, configs: gcc-sanitize-undefined }
           - { os: ubuntu-20.04, configs: gcc-7 }
           - { os: ubuntu-20.04, configs: gcc-8 }
           - { os: ubuntu-20.04, configs: gcc-10 }
@@ -44,9 +52,9 @@ jobs:
           - { os: ubuntu-latest, configs: libressl-2.8.3 }
           - { os: ubuntu-latest, configs: libressl-3.0.2 }
           - { os: ubuntu-latest, configs: libressl-3.2.6 }
-          - { os: ubuntu-latest, configs: libressl-3.3.4 }
-          - { os: ubuntu-latest, configs: libressl-3.4.1 }
-          - { os: ubuntu-latest, configs: libressl-3.5.0 }
+          - { os: ubuntu-latest, configs: libressl-3.3.6 }
+          - { os: ubuntu-latest, configs: libressl-3.4.3 }
+          - { os: ubuntu-latest, configs: libressl-3.5.3 }
           - { os: ubuntu-latest, configs: openssl-master }
           - { os: ubuntu-latest, configs: openssl-noec }
           - { os: ubuntu-latest, configs: openssl-1.0.1 }
@@ -55,30 +63,37 @@ jobs:
           - { os: ubuntu-latest, configs: openssl-1.1.0h }
           - { os: ubuntu-latest, configs: openssl-1.1.1 }
           - { os: ubuntu-latest, configs: openssl-1.1.1k }
-          - { os: ubuntu-latest, configs: openssl-1.1.1m }
+          - { os: ubuntu-latest, configs: openssl-1.1.1n }
+          - { os: ubuntu-latest, configs: openssl-1.1.1p }
           - { os: ubuntu-latest, configs: openssl-3.0.0 }
-          - { os: ubuntu-latest, configs: openssl-3.0.1 }
+          - { os: ubuntu-latest, configs: openssl-3.0.5 }
           - { os: ubuntu-latest, configs: openssl-1.1.1_stable } # stable branch
           - { os: ubuntu-latest, configs: openssl-3.0 }          # stable branch
-          - { os: ubuntu-18.04, configs: pam }
-          - { os: ubuntu-18.04, configs: krb5 }
-          - { os: ubuntu-18.04, configs: heimdal }
-          - { os: ubuntu-18.04, configs: libedit }
-          - { os: ubuntu-18.04, configs: sk }
-          - { os: ubuntu-18.04, configs: selinux }
-          - { os: ubuntu-18.04, configs: kitchensink }
-          - { os: ubuntu-18.04, configs: without-openssl }
-          - { os: macos-10.15,  configs: pam }
-          - { os: macos-11.0,   configs: pam }
+          - { os: ubuntu-22.04, configs: pam }
+          - { os: ubuntu-22.04, configs: krb5 }
+          - { os: ubuntu-22.04, configs: heimdal }
+          - { os: ubuntu-22.04, configs: libedit }
+          - { os: ubuntu-22.04, configs: sk }
+          - { os: ubuntu-22.04, configs: selinux }
+          - { os: ubuntu-22.04, configs: kitchensink }
+          - { os: ubuntu-22.04, configs: without-openssl }
+          - { os: macos-11, configs: pam }
+          - { os: macos-12, configs: pam }
     runs-on: ${{ matrix.os }}
     steps:
+    - name: set cygwin git params
+      if: ${{ startsWith(matrix.os, 'windows') }}
+      run: git config --global core.autocrlf input
+    - name: install cygwin
+      if: ${{ startsWith(matrix.os, 'windows') }}
+      uses: cygwin/cygwin-install-action@master
     - uses: actions/checkout@v2
     - name: setup CI system
-      run: ./.github/setup_ci.sh ${{ matrix.configs }}
+      run: sh ./.github/setup_ci.sh ${{ matrix.configs }}
     - name: autoreconf
-      run: autoreconf
+      run: sh -c autoreconf
     - name: configure
-      run: ./.github/configure.sh ${{ matrix.configs }}
+      run: sh ./.github/configure.sh ${{ matrix.configs }}
     - name: save config
       uses: actions/upload-artifact@v2
       with:
@@ -89,9 +104,10 @@ jobs:
     - name: make
       run: make -j2
     - name: make tests
-      run: ./.github/run_test.sh ${{ matrix.configs }}
+      run: sh ./.github/run_test.sh ${{ matrix.configs }}
       env:
         TEST_SSH_UNSAFE_PERMISSIONS: 1
+        TEST_SSH_HOSTBASED_AUTH: yes
     - name: save logs
       if: failure()
       uses: actions/upload-artifact@v2
@@ -102,3 +118,5 @@ jobs:
           config.log
           regress/*.log
           regress/valgrind-out/
+          regress/asan.log.*
+          regress/msan.log.*
diff --git a/crypto/openssh/.github/workflows/selfhosted.yml b/crypto/openssh/.github/workflows/selfhosted.yml
index ec2c29825c85..c4bd1d9b24f7 100644
--- a/crypto/openssh/.github/workflows/selfhosted.yml
+++ b/crypto/openssh/.github/workflows/selfhosted.yml
@@ -2,7 +2,8 @@ name: C/C++ CI self-hosted
 
 on:
   push:
-    branches: [ master, ci ]
+    branches: [ master, ci, V_9_0 ]
+    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', 'Makefile.in', 'configure.ac' ]
 
 jobs:
   selfhosted:
@@ -17,15 +18,15 @@ jobs:
       matrix:
         os:
           - aix51
+          - ARM
           - ARM64
           - alpine
-          - bbone
           - debian-i386
+          - debian-riscv64
           - dfly30
           - dfly48
           - dfly58
           - dfly60
-          - fbsd6
           - fbsd10
           - fbsd12
           - fbsd13
@@ -58,7 +59,6 @@ jobs:
           - { os: dfly48, configs: pam }
           - { os: dfly58, configs: pam }
           - { os: dfly60, configs: pam }
-          - { os: fbsd6,  configs: pam }
           - { os: fbsd10, configs: pam }
           - { os: fbsd12, configs: pam }
           - { os: fbsd13, configs: pam }
@@ -72,11 +72,11 @@ jobs:
           # - { os: sol11,  configs: sol64-pam }
           - { os: win10,  configs: cygwin-release }
     steps:
+    - name: shutdown VM if running
+      run: vmshutdown
     - uses: actions/checkout@v2
     - name: autoreconf
       run: autoreconf
-    - name: shutdown VM if running
-      run: vmshutdown
     - name: startup VM
       run: vmstartup
     - name: configure
diff --git a/crypto/openssh/.github/workflows/upstream.yml b/crypto/openssh/.github/workflows/upstream.yml
index b91083c65184..3cec069ede74 100644
--- a/crypto/openssh/.github/workflows/upstream.yml
+++ b/crypto/openssh/.github/workflows/upstream.yml
@@ -3,6 +3,7 @@ name: Upstream self-hosted
 on:
   push:
     branches: [ master, ci ]
+    paths: [ '**.c', '**.h', '.github/**' ]
 
 jobs:
   selfhosted:
@@ -14,7 +15,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ obsdsnap, obsdsnap-i386 ]
-        configs: [ default, without-openssl ]
+        configs: [ default, without-openssl, ubsan ]
     steps:
     - uses: actions/checkout@v2
     - name: shutdown VM if running
@@ -24,13 +25,15 @@ jobs:
     - name: update source
       run: vmrun "cd /usr/src && cvs up -dPA usr.bin/ssh regress/usr.bin/ssh"
     - name: make clean
-      run: vmrun "cd /usr/src/usr.bin/ssh && make obj && make clean"
+      run: vmrun "cd /usr/src/usr.bin/ssh && make obj && make clean && cd /usr/src/regress/usr.bin/ssh && make obj && make clean"
     - name: make
-      run: vmrun "cd /usr/src/usr.bin/ssh && if test '${{ matrix.configs }}' = 'without-openssl'; then make OPENSSL=no; else make; fi"
+      run: vmrun "cd /usr/src/usr.bin/ssh && case ${{ matrix.configs }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac"
     - name: make install
       run: vmrun "cd /usr/src/usr.bin/ssh && sudo make install"
-    - name: make tests
-      run: vmrun "cd /usr/src/regress/usr.bin/ssh && make obj && make clean && if test '${{ matrix.configs }}' = 'without-openssl'; then make SUDO=sudo OPENSSL=no; else make SUDO=sudo; fi"
+    - name: make tests`
+      run: vmrun "cd /usr/src/regress/usr.bin/ssh && case ${{ matrix.configs }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac"
+      env:
+        SUDO: sudo
       timeout-minutes: 300
     - name: save logs
       if: failure()
diff --git a/crypto/openssh/.skipped-commit-ids b/crypto/openssh/.skipped-commit-ids
index c606eaee6c51..b639678939dd 100644
--- a/crypto/openssh/.skipped-commit-ids
+++ b/crypto/openssh/.skipped-commit-ids
@@ -24,6 +24,7 @@ d9b910e412d139141b072a905e66714870c38ac0	Makefile.inc
 cc12a9029833d222043aecd252d654965c351a69	moduli-gen Makefile
 7ac6c252d2a5be8fbad4c66d9d35db507c9dac5b	moduli update
 6b52cd2b637f3d29ef543f0ce532a2bce6d86af5	makefile change
+f9a0726d957cf10692a231996a1f34e7f9cdfeb0	moduli update
 
 Old upstream tree:
 
diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog
index 063b54769d53..02e11b023ca0 100644
--- a/crypto/openssh/ChangeLog
+++ b/crypto/openssh/ChangeLog
@@ -1,11889 +1,11314 @@
-commit 94eb6858efecc1b4f02d8a6bd35e149f55c814c8
+commit 0ffb46f2ee2ffcc4daf45ee679e484da8fcf338c
 Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Apr 6 10:47:48 2022 +1000
+Date:   Tue Oct 4 01:51:42 2022 +1100
 
-    update version numbers for release
+    update .depend
 
-commit 8e4a8eadf4fe74e65e6492f34250f8cf7d67e8da
+commit 657e676ff696c7bb787bffb0e249ea1be3b474e1
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Oct 4 01:45:52 2022 +1100
+
+    update release notes URL
+
+commit f059da2b29840c0f048448809c317ce2ae014da7
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Oct 4 01:45:41 2022 +1100
+
+    crank versions in RPM spec files
+
+commit b51f3f172d87cbdb80ca4eb7b2149e56a7647557
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Apr 4 22:45:25 2022 +0000
+Date:   Mon Sep 26 22:18:40 2022 +0000
 
-    upstream: openssh-9.0
+    upstream: openssh-9.1
     
-    OpenBSD-Commit-ID: 0dfb461188f4513ec024c1534da8c1ce14c20b64
+    OpenBSD-Commit-ID: 5a467b2ee81da01a86adf1ad93b62b1728494e56
 
-commit a9f23ea2e3227f406880c2634d066f6f50fa5eaa
-Author: naddy@openbsd.org <naddy@openbsd.org>
-Date:   Thu Mar 31 17:58:44 2022 +0000
+commit 4cf8d0c0f3030f594a238bab21a0695735515487
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Wed Sep 21 22:26:50 2022 +0000
 
-    upstream: ssh: document sntrup761x25519-sha512@openssh.com as
-    
-    default KEX
+    upstream: Fix typo. From AlexanderStohr via github PR#343.
     
-    OpenBSD-Commit-ID: 12545bfa10bcbf552d04d9d9520d0f4e98b0e171
+    OpenBSD-Commit-ID: a134c9b4039e48803fc6a87f955b0f4a03181497
 
-commit 9ec2713d122af79d66ebb9c1d6d9ae8621a8945f
-Author: naddy@openbsd.org <naddy@openbsd.org>
-Date:   Thu Mar 31 17:27:27 2022 +0000
+commit 8179fed3264d5919899900ed8881d5f9bb57ca33
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Sep 19 21:39:16 2022 +0000
 
-    upstream: man pages: add missing commas between subordinate and
-    
-    main clauses
+    upstream: add RequiredRSASize to the list of keywords accepted by
     
-    jmc@ dislikes a comma before "then" in a conditional, so leave those
-    untouched.
+    -o; spotted by jmc@
     
-    ok jmc@
+    OpenBSD-Commit-ID: fe871408cf6f9d3699afeda876f8adbac86a035e
+
+commit 5f954929e9f173dd1e279e07d0e8b14fa845814d
+Author: Damien Miller <djm@mindrot.org>
+Date:   Mon Sep 19 20:59:34 2022 +1000
+
+    no need for glob.h here
     
-    OpenBSD-Commit-ID: 9520801729bebcb3c9fe43ad7f9776ab4dd05ea3
+    it also causes portability problems
 
-commit 3741df98ffaaff92b474ee70d8ef276b5882f85a
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Mon Apr 4 23:52:11 2022 +1000
+commit 03d94a47207d58b3db37eba4f87eb6ae5a63168a
+Author: Damien Miller <djm@mindrot.org>
+Date:   Mon Sep 19 20:59:04 2022 +1000
 
-    Disable security key on fbsd6 test host.
+    avoid Wuninitialized false positive in gcc-12ish
 
-commit 32c12236f27ae83bfe6d2983b67c9bc67a83a417
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Mon Apr 4 15:16:51 2022 +1000
+commit 9d952529113831fb3071ab6e408d2726fd72e771
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Sep 19 10:46:00 2022 +0000
 
-    Specify TEST_SHELL=bash on AIX.
+    upstream: use users-groups-by-id@openssh.com sftp-server extension
     
-    The system shells cause the agent-restrict test to fail due to some
-    quoting so explicitly specify bash until we can get configure to
-    autmatically work around that.
+    (when available) to fill in user/group names for directory listings.
+    Implement a client-side cache of see uid/gid=>user/group names. ok markus@
+    
+    OpenBSD-Commit-ID: f239aeeadfa925a37ceee36ee8b256b8ccf4466e
 
-commit 90452c8b69d065b7c7c285ff78b81418a75bcd76
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Apr 1 23:38:44 2022 +1100
+commit 8ff680368b0bccf88ae85d4c99de69387fbad7a6
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Sep 19 10:43:12 2022 +0000
 
-    Only return events from ppoll that were requested.
+    upstream: sftp client library support for
     
-    If the underlying system's select() returns bits that were not in the
-    request set, our ppoll() implementation can return revents for events
-    not requested, which can apparently cause a hang.  Only return revents
-    for activity in the requested event set.  bz#3416, analysis and fix by
-    yaroslav.kuzmin at vmssoftware com, ok djm@
+    users-groups-by-id@openssh.com; ok markus@
+    
+    OpenBSD-Commit-ID: ddb2f33a2da6349a9a89a8b5bcb9ca7c999394de
 
-commit 6c49eb5fabc56f4865164ed818aa5112d09c31a8
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Apr 1 23:21:40 2022 +1100
+commit 488f6e1c582212c2374a4bf8cd1b703d2e70fb8b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Sep 19 10:41:58 2022 +0000
 
-    Only run regression tests on slow VMs.
+    upstream: extend sftp-common.c:extend ls_file() to support supplied
+    
+    user/group names; ok markus@
+    
+    OpenBSD-Commit-ID: c70c70498b1fdcf158531117e405b6245863bfb0
 
-commit f67e47903977b42cb6abcd5565a61bd7293e4dc3
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Apr 1 23:21:06 2022 +1100
+commit 74b77f7497dba3a58315c8f308883de448078057
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Sep 19 10:40:52 2022 +0000
 
-    Increase test timeout to allow slow VMs to finish
+    upstream: sftp-server(8): add a "users-groups-by-id@openssh.com"
+    
+    extension request that allows the client to obtain user/group names that
+    correspond to a set of uids/gids.
+    
+    Will be used to make directory listings more useful and consistent
+    in sftp(1).
+    
+    ok markus@
+    
+    OpenBSD-Commit-ID: 7ebabde0bcb95ef949c4840fe89e697e30df47d3
 
-commit 02488c1b54065ddc4f25835dbd2618b2a2fe21f5
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Apr 1 16:27:38 2022 +1100
+commit 231a346c0c67cc7ca098360f9a554fa7d4f1eddb
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Sep 19 08:49:50 2022 +0000
 
-    Use bash or ksh if available for SH in Makefile.
+    upstream: better debugging for connect_next()
+    
+    OpenBSD-Commit-ID: d16a307a0711499c971807f324484ed3a6036640
 
-commit 34c7018c316af4773e432066de28d0ef9d0888cd
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Apr 1 14:56:54 2022 +1100
+commit 1875042c52a3b950ae5963c9ca3774a4cc7f0380
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Sat Sep 17 10:34:29 2022 +0000
 
-    Set Makefile SHELL as determined by configure.
+    upstream: Add RequiredRSASize for sshd(8); RSA keys that fall
     
-    This should improve compatibility for users with non-POSIX shells.  If
-    using Makefile.in directly (eg make -f Makefile.in distprep) then SHELL
-    will need to be specified on the command line (along with MANFMT in that
-    particular case).  ok djm@
+    beneath this limit will be ignored for user and host-based authentication.
+    
+    Feedback deraadt@ ok markus@
+    
+    OpenBSD-Commit-ID: 187931dfc19d51873df5930a04f2d972adf1f7f1
 
-commit 5b054d76402faab38c48377efd112426469553a0
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Apr 1 13:16:47 2022 +1100
+commit 54b333d12e55e6560b328c737d514ff3511f1afd
+Author: djm@openbsd.org <djm@openbsd.org>
*** 29145 LINES SKIPPED ***