From nobody Mon Feb 13 13:16:46 2023
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PFlH35Ykrz3qXYg;
	Mon, 13 Feb 2023 13:16:47 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PFlH35G7Wz45bt;
	Mon, 13 Feb 2023 13:16:47 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1676294207;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=9jXDfheVukxEQ+rTcaOxmiMNxFrBIaoZ5uGehMlUHUY=;
	b=JYBw2KuJzZuUXRmGjvnZgMvYfT4XdppEEI6n3xoQUaaQzo5xcUOXd0jjusALAuL5yzSNzR
	t9haZn2XwTfcjprIUlSSrXP17GyNCI/OkB7Np8U/rBbWMLudtfIjSAF7WNXikt6+vA05df
	whRFtmA6vWzi8KT9y7uJYSj05fjOqnmPP/r+D+rkvhgoCILI/u/WmE/jej8fOv+YHsbfOb
	NPe66JR9mRpqd2aolpbC93f7sJ6Gs/ydNyoZIn9sw+K4f1mI85LwBr5JBfY2BIe2CPiSmd
	+YKJZzPGz8Q8px+F8s0FQdH9S+Xnet+3HS18fPMMscDnn2j4MzHH4bOQK7iozQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1676294207;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=9jXDfheVukxEQ+rTcaOxmiMNxFrBIaoZ5uGehMlUHUY=;
	b=JlUkuoTsSEl/bhsTqMAF6OVokU0Pa4ro+bttpDfDrtilHP818Li9a1km10H2NqK0CxoIhG
	JXkzt+ubtel6XytBVf9He/ersYUxAftU+ybC6us40h35MN4YhqJzPPr+JInCJM4U7Y8d0F
	pSG9/u5eOY6PhVtljY6MzEOwNX1/45a9xZ1wpQS+gtgT4wRi1sKr3Uc6/ndwVtWV4Mjp7B
	gEuXFwMSS48qpPRg7vlJTABt/dksws6l8WmpamP217weQedTi550RsqiPW9y55pJYIlM8q
	7uGEZonYNVecpCusBTI4P5mk1IM0VncLiQvnNxNl2rVSv3ybE1dU5J69PmmkGg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1676294207; a=rsa-sha256; cv=none;
	b=ITibhFca4PaHvSO36uoFhjRcGJhyKxLvTbE0WNwqIqg4Nt4no3N73pDhOfKljgd9MN92oS
	NfI0QH2VMVTgCewqlDOHVLSQTcrx27bc6x9a8Cb3+3mcW+yMiIunW/XLp9DfRnwvVSKcsp
	BEYhDViqKYlVdQ2RsQFMtLKCNfC0MUq+4WocvL9zyMVptrb9jU6yhSMo65E4zgdqBwDEom
	iZBqBgSmVvRFq6ulo/2j+uX4fWY4T3OwAy0eqLGFB8AEmMu+JNVuyORehG3wvM72ypn4iP
	VIq/McpBZ1xqcEQtSgSPuAdh4jR7MMr6s0VgcmAdJGv+sCQCNE6yyw0TUq/TCQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PFlH34Jr3zKPX;
	Mon, 13 Feb 2023 13:16:47 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 31DDGlnv081149;
	Mon, 13 Feb 2023 13:16:47 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 31DDGkCc081144;
	Mon, 13 Feb 2023 13:16:46 GMT
	(envelope-from git)
Date: Mon, 13 Feb 2023 13:16:46 GMT
Message-Id: <202302131316.31DDGkCc081144@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Ed Maste <emaste@FreeBSD.org>
Subject: git: 2f43f145825d - stable/13 - ssh: update to OpenSSH 9.2p1
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: emaste
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 2f43f145825d0d8468f583b1686262b0f40c1fe5
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=2f43f145825d0d8468f583b1686262b0f40c1fe5

commit 2f43f145825d0d8468f583b1686262b0f40c1fe5
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2023-02-06 21:54:56 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-02-13 13:16:22 +0000

    ssh: update to OpenSSH 9.2p1
    
    Release notes are available at https://www.openssh.com/txt/release-9.2
    
    OpenSSH 9.2 contains fixes for two security problems and a memory safety
    problem.  The memory safety problem is not believed to be exploitable.
    These fixes have already been committed to OpenSSH 9.1 in FreeBSD.
    
    Some other notable items from the release notes:
    
     * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
       controls whether the client-side ~C escape sequence that provides a
       command-line is available. Among other things, the ~C command-line
       could be used to add additional port-forwards at runtime.
    
     * sshd(8): add support for channel inactivity timeouts via a new
       sshd_config(5) ChannelTimeout directive. This allows channels that
       have not seen traffic in a configurable interval to be
       automatically closed. Different timeouts may be applied to session,
       X11, agent and TCP forwarding channels.
    
     * sshd(8): add a sshd_config UnusedConnectionTimeout option to
       terminate client connections that have no open channels for a
       length of time. This complements the ChannelTimeout option above.
    
     * sshd(8): add a -V (version) option to sshd like the ssh client has.
    
     * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
       allow control over some SFTP protocol parameters: the copy buffer
       length and the number of in-flight requests, both of which are used
       during upload/download. Previously these could be controlled in
       sftp(1) only. This makes them available in both SFTP protocol
       clients using the same option character sequence.
    
     * ssh-keyscan(1): allow scanning of complete CIDR address ranges,
       e.g.  "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then
       it will be expanded to all possible addresses in the range
       including the all-0s and all-1s addresses. bz#976
    
     * ssh(1): support dynamic remote port forwarding in escape
       command-line's -R processing. bz#3499
    
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit f374ba41f55c1a127303d92d830dd58eef2f5243)
---
 crypto/openssh/.depend                             |     8 +-
 crypto/openssh/.github/ci-status.md                |    12 +-
 crypto/openssh/.github/configs                     |    43 +-
 crypto/openssh/.github/setup_ci.sh                 |    19 +-
 crypto/openssh/.github/workflows/c-cpp.yml         |   155 +-
 crypto/openssh/.github/workflows/cifuzz.yml        |    32 +
 crypto/openssh/.github/workflows/selfhosted.yml    |    94 +-
 crypto/openssh/.github/workflows/upstream.yml      |    29 +-
 crypto/openssh/.skipped-commit-ids                 |     2 +
 crypto/openssh/ChangeLog                           | 15052 +++++++++----------
 crypto/openssh/INSTALL                             |     2 +-
 crypto/openssh/Makefile.in                         |     9 +-
 crypto/openssh/PROTOCOL                            |     4 +-
 crypto/openssh/README                              |     2 +-
 crypto/openssh/README.md                           |     3 +-
 crypto/openssh/aclocal.m4                          |     4 +-
 crypto/openssh/addr.c                              |    73 +-
 crypto/openssh/addr.h                              |     4 +
 crypto/openssh/auth-pam.c                          |    16 +-
 crypto/openssh/auth-rhosts.c                       |     4 +-
 crypto/openssh/auth.c                              |    11 +-
 crypto/openssh/channels.c                          |   246 +-
 crypto/openssh/channels.h                          |    24 +-
 crypto/openssh/clientloop.c                        |   171 +-
 crypto/openssh/config.guess                        |  1206 +-
 crypto/openssh/config.h                            |     3 +
 crypto/openssh/config.sub                          |   674 +-
 crypto/openssh/configure.ac                        |    84 +-
 crypto/openssh/contrib/redhat/openssh.spec         |     2 +-
 crypto/openssh/contrib/suse/openssh.spec           |     2 +-
 crypto/openssh/crypto_api.h                        |     4 +-
 crypto/openssh/ed25519.c                           |  2048 ++-
 crypto/openssh/ed25519.sh                          |   119 +
 crypto/openssh/entropy.c                           |    34 -
 crypto/openssh/fe25519.c                           |   337 -
 crypto/openssh/fe25519.h                           |    70 -
 crypto/openssh/ge25519.c                           |   321 -
 crypto/openssh/ge25519.h                           |    43 -
 crypto/openssh/ge25519_base.data                   |   858 --
 crypto/openssh/install-sh                          |   422 +-
 crypto/openssh/kex.c                               |     6 +-
 crypto/openssh/misc.c                              |    97 +-
 crypto/openssh/misc.h                              |    11 +-
 crypto/openssh/moduli                              |   843 +-
 crypto/openssh/monitor_wrap.c                      |     3 +-
 crypto/openssh/mux.c                               |     6 +-
 crypto/openssh/openbsd-compat/arc4random.c         |    12 +-
 crypto/openssh/openbsd-compat/arc4random.h         |    10 +
 crypto/openssh/openbsd-compat/bsd-getentropy.c     |     7 +-
 crypto/openssh/openbsd-compat/bsd-poll.c           |    38 +-
 crypto/openssh/openbsd-compat/bsd-poll.h           |    25 +-
 crypto/openssh/openbsd-compat/bsd-timegm.c         |    52 +-
 crypto/openssh/openbsd-compat/getrrsetbyname.c     |    12 +-
 crypto/openssh/openbsd-compat/openbsd-compat.h     |     5 +-
 crypto/openssh/openbsd-compat/regress/Makefile.in  |     7 +-
 .../openbsd-compat/regress/opensslvertest.c        |     2 +
 crypto/openssh/readconf.c                          |    14 +-
 crypto/openssh/readconf.h                          |     4 +-
 crypto/openssh/regress/Makefile                    |     7 +-
 crypto/openssh/regress/agent-getpeereid.sh         |    11 +-
 crypto/openssh/regress/agent-ptrace.sh             |     1 +
 crypto/openssh/regress/channel-timeout.sh          |    91 +
 crypto/openssh/regress/connection-timeout.sh       |    87 +
 crypto/openssh/regress/dynamic-forward.sh          |   127 +-
 crypto/openssh/regress/hostbased.sh                |     4 +-
 crypto/openssh/regress/krl.sh                      |     6 +-
 crypto/openssh/regress/multiplex.sh                |     3 +-
 crypto/openssh/regress/percent.sh                  |    20 +-
 crypto/openssh/regress/reexec.sh                   |     4 +-
 crypto/openssh/regress/scp-uri.sh                  |     4 +-
 crypto/openssh/regress/scp.sh                      |    51 +-
 crypto/openssh/regress/scp3.sh                     |    10 +-
 crypto/openssh/regress/test-exec.sh                |    14 +-
 crypto/openssh/regress/unittests/hostkeys/Makefile |     4 +-
 crypto/openssh/regress/unittests/kex/Makefile      |     6 +-
 .../openssh/regress/unittests/kex/test_proposal.c  |    83 +
 crypto/openssh/regress/unittests/kex/tests.c       |     4 +-
 .../openssh/regress/unittests/misc/test_ptimeout.c |    85 +
 crypto/openssh/regress/unittests/misc/tests.c      |     4 +-
 crypto/openssh/regress/unittests/sshkey/Makefile   |     4 +-
 .../openssh/regress/unittests/sshkey/test_sshkey.c |     4 +-
 crypto/openssh/regress/unittests/sshsig/Makefile   |     4 +-
 crypto/openssh/regress/yes-head.sh                 |     4 +-
 crypto/openssh/sandbox-seccomp-filter.c            |     5 +-
 crypto/openssh/sc25519.c                           |   308 -
 crypto/openssh/sc25519.h                           |    80 -
 crypto/openssh/scp.1                               |    29 +-
 crypto/openssh/scp.c                               |   163 +-
 crypto/openssh/servconf.c                          |   138 +-
 crypto/openssh/servconf.h                          |    10 +-
 crypto/openssh/serverloop.c                        |    98 +-
 crypto/openssh/session.c                           |    27 +-
 crypto/openssh/session.h                           |     4 +-
 crypto/openssh/sftp-client.c                       |    25 +-
 crypto/openssh/sftp-glob.c                         |    34 +-
 crypto/openssh/sftp-server.c                       |     4 +-
 crypto/openssh/sftp.1                              |    18 +-
 crypto/openssh/sftp.c                              |    36 +-
 crypto/openssh/sntrup761.c                         |    44 +-
 crypto/openssh/sntrup761.sh                        |     5 +-
 crypto/openssh/ssh-agent.1                         |    27 +-
 crypto/openssh/ssh-agent.c                         |     9 +-
 crypto/openssh/ssh-dss.c                           |   284 +-
 crypto/openssh/ssh-ecdsa-sk.c                      |   170 +-
 crypto/openssh/ssh-ecdsa.c                         |   318 +-
 crypto/openssh/ssh-ed25519-sk.c                    |   139 +-
 crypto/openssh/ssh-ed25519.c                       |   181 +-
 crypto/openssh/ssh-keygen.c                        |     3 +-
 crypto/openssh/ssh-keyscan.1                       |    24 +-
 crypto/openssh/ssh-keyscan.c                       |    46 +-
 crypto/openssh/ssh-rsa.c                           |   352 +-
 crypto/openssh/ssh-sk-helper.c                     |     3 +-
 crypto/openssh/ssh-xmss.c                          |   228 +-
 crypto/openssh/ssh.1                               |     5 +-
 crypto/openssh/ssh.c                               |    42 +-
 crypto/openssh/ssh_config.5                        |    19 +-
 crypto/openssh/ssh_namespace.h                     |   111 +-
 crypto/openssh/sshbuf.c                            |    27 +-
 crypto/openssh/sshbuf.h                            |    26 +-
 crypto/openssh/sshconnect.c                        |     9 +-
 crypto/openssh/sshd.8                              |     8 +-
 crypto/openssh/sshd.c                              |    30 +-
 crypto/openssh/sshd_config                         |     2 +-
 crypto/openssh/sshd_config.5                       |   104 +-
 crypto/openssh/sshkey-xmss.c                       |     4 +-
 crypto/openssh/sshkey-xmss.h                       |     4 +-
 crypto/openssh/sshkey.c                            |  1993 +--
 crypto/openssh/sshkey.h                            |    82 +-
 crypto/openssh/verify.c                            |    49 -
 crypto/openssh/version.h                           |     6 +-
 secure/lib/libssh/Makefile                         |     2 +-
 131 files changed, 15622 insertions(+), 13755 deletions(-)

diff --git a/crypto/openssh/.depend b/crypto/openssh/.depend
index fca83a67c970..5226523aa2ad 100644
--- a/crypto/openssh/.depend
+++ b/crypto/openssh/.depend
@@ -50,11 +50,9 @@ digest-libc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-c
 digest-openssl.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 dispatch.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh2.h log.h ssherr.h dispatch.h packet.h openbsd-compat/sys-queue.h compat.h
 dns.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshkey.h ssherr.h dns.h log.h digest.h
-ed25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h ge25519.h fe25519.h sc25519.h
+ed25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h
 entropy.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 fatal.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h
-fe25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h fe25519.h crypto_api.h
-ge25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h fe25519.h crypto_api.h sc25519.h ge25519.h ge25519_base.data
 groupaccess.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h groupaccess.h match.h log.h ssherr.h
 gss-genr.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 gss-serv-krb5.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
@@ -108,7 +106,6 @@ sandbox-rlimit.o: includes.h config.h defines.h platform.h openbsd-compat/openbs
 sandbox-seccomp-filter.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 sandbox-solaris.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 sandbox-systrace.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
-sc25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sc25519.h crypto_api.h
 scp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h xmalloc.h ssh.h atomicio.h pathnames.h log.h ssherr.h misc.h progressmeter.h utf8.h sftp.h sftp-common.h sftp-client.h
 servconf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h openbsd-compat/sys-queue.h xmalloc.h ssh.h log.h ssherr.h sshbuf.h misc.h servconf.h compat.h pathnames.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey
 .h
 servconf.o: kex.h mac.h crypto_api.h match.h channels.h groupaccess.h canohost.h packet.h dispatch.h hostfile.h auth.h auth-pam.h audit.h loginrec.h myproposal.h digest.h
@@ -137,7 +134,7 @@ ssh-ed25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-c
 ssh-keygen.o: cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h
 ssh-keygen.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshkey.h authfile.h sshbuf.h pathnames.h log.h ssherr.h misc.h match.h hostfile.h dns.h ssh.h ssh2.h ssh-pkcs11.h atomicio.h krl.h digest.h utf8.h authfd.h sshsig.h ssh-sk.h sk-api.h cipher.h
 ssh-keyscan.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshbuf.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h compat.h myproposal.h packet.h dispatch.h log
 .h
-ssh-keyscan.o: ssherr.h atomicio.h misc.h hostfile.h ssh_api.h ssh2.h dns.h
+ssh-keyscan.o: ssherr.h atomicio.h misc.h hostfile.h ssh_api.h ssh2.h dns.h addr.h
 ssh-keysign.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h ssherr.h sshkey.h ssh.h ssh2.h misc.h sshbuf.h authfile.h msg.h canohost.h pathnames.h readconf.h uidswap.h
 ssh-pkcs11-client.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 ssh-pkcs11-helper.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h sshbuf.h log.h ssherr.h misc.h sshkey.h authfd.h ssh-pkcs11.h
@@ -174,7 +171,6 @@ uidswap.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compa
 umac.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h umac.h misc.h rijndael.h
 umac128.o: umac.c includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h umac.h misc.h rijndael.h
 utf8.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h utf8.h
-verify.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h
 xmalloc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h ssherr.h
 xmss_commons.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
 xmss_fast.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
diff --git a/crypto/openssh/.github/ci-status.md b/crypto/openssh/.github/ci-status.md
index 0ad8bf5aaf44..d13bbfa8c038 100644
--- a/crypto/openssh/.github/ci-status.md
+++ b/crypto/openssh/.github/ci-status.md
@@ -1,4 +1,10 @@
-[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml)
-[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml)
-[![Upstream self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml)
+master :
+[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:master)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:master)
+[![Upstream self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml/badge.svg)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/upstream.yml?query=branch:master)
+[![CIFuzz](https://github.com/openssh/openssh-portable/actions/workflows/cifuzz.yml/badge.svg)](https://github.com/openssh/openssh-portable/actions/workflows/cifuzz.yml)
 [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
+
+9.1 :
+[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_1)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_1)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_1)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_1)
diff --git a/crypto/openssh/.github/configs b/crypto/openssh/.github/configs
index 6bf1ab27f0ca..bdd5ddbdfaf0 100755
--- a/crypto/openssh/.github/configs
+++ b/crypto/openssh/.github/configs
@@ -9,10 +9,13 @@
 # LTESTS
 
 config=$1
+if [ "$config" = "" ]; then
+	config="default"
+fi
 
 unset CC CFLAGS CPPFLAGS LDFLAGS LTESTS SUDO
 
-TEST_TARGET="tests"
+TEST_TARGET="tests compat-tests"
 LTESTS=""
 SKIP_LTESTS=""
 SUDO=sudo	# run with sudo by default
@@ -108,7 +111,7 @@ case "$config" in
     kitchensink)
 	CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
 	CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
-	CONFIGFLAGS="${CONFIGFLAGS} --with-cflags=-DSK_DEBUG"
+	CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG"
 	;;
     hardenedmalloc)
 	CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
@@ -141,6 +144,11 @@ case "$config" in
 	;;
     openssl-*)
 	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath,"
+	# OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec
+	# fallback.  See https://bugzilla.mindrot.org/show_bug.cgi?id=3483
+	if [ "$config" = "openssl-1.1.1" ]; then
+		SKIP_LTESTS="reexec"
+	fi
 	;;
     selinux)
 	CONFIGFLAGS="--with-selinux"
@@ -152,7 +160,7 @@ case "$config" in
 	LIBCRYPTOFLAGS="--without-openssl"
 	TEST_TARGET=t-exec
 	;;
-    valgrind-[1-4]|valgrind-unit)
+    valgrind-[1-5]|valgrind-unit)
 	# rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
 	CONFIGFLAGS="--without-sandbox --without-hardening"
 	CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
@@ -161,16 +169,19 @@ case "$config" in
 	export TEST_SSH_ELAPSED_TIMES
 	# Valgrind slows things down enough that the agent timeout test
 	# won't reliably pass, and the unit tests run longer than allowed
-	# by github so split into three separate tests.
-	tests2="rekey integrity try-ciphers"
+	# by github so split into separate tests.
+	tests2="integrity try-ciphers"
 	tests3="krl forward-control sshsig agent-restrict kextype sftp"
 	tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
+	tests5="rekey"
 	case "$config" in
 	    valgrind-1)
-		# All tests except agent-timeout (which is flaky under valgrind)
+		# All tests except agent-timeout (which is flaky under valgrind),
+		# connection-timeout (which doesn't work since it's so slow)
 		# and hostbased (since valgrind won't let ssh exec keysign).
 		# Slow ones are run separately to increase parallelism.
-		SKIP_LTESTS="agent-timeout hostbased ${tests2} ${tests3} ${tests4}"
+		SKIP_LTESTS="agent-timeout connection-timeout hostbased"
+		SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}"
 		;;
 	    valgrind-2)
 		LTESTS="${tests2}"
@@ -181,6 +192,9 @@ case "$config" in
 	    valgrind-4)
 		LTESTS="${tests4}"
 		;;
+	    valgrind-5)
+		LTESTS="${tests5}"
+		;;
 	    valgrind-unit)
 		TEST_TARGET="unit USE_VALGRIND=1"
 		;;
@@ -210,6 +224,10 @@ case "${TARGET_HOST}" in
 	TEST_TARGET="t-exec TEST_SHELL=bash"
 	SKIP_LTESTS="rekey sftp"
 	;;
+    debian-riscv64)
+	# This machine is fairly slow, so skip the unit tests.
+	TEST_TARGET="t-exec"
+	;;
     dfly58*|dfly60*)
 	# scp 3-way connection hangs on these so skip until sorted.
 	SKIP_LTESTS=scp3
@@ -227,12 +245,15 @@ case "${TARGET_HOST}" in
 	# test that relies on one.
 	# Also, Minix seems to be very limited in the number of select()
 	# calls that can be operating concurrently, so prune additional tests for that.
-	T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse connect
-	    connect-uri exit-status forward-control forwarding hostkey-agent
-	    key-options keyscan knownhosts-command login-timeout multiplex
+	T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse
+	    connect connect-uri exit-status forwarding hostkey-agent
+	    key-options keyscan knownhosts-command login-timeout
 	    reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
 	    sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
 	    transfer"
+	# Unix domain sockets don't work quite like we expect, so also skip any tests
+	# that use multiplexing.
+	T="$T connection-timeout dynamic-forward forward-control multiplex"
 	SKIP_LTESTS="$(echo $T)"
 	TEST_TARGET=t-exec
 	SUDO=""
@@ -260,6 +281,8 @@ esac
 case "`./config.guess`" in
 *cygwin)
 	SUDO=""
+	# Don't run compat tests on cygwin as they don't currently compile.
+	TEST_TARGET="tests"
 	;;
 *-darwin*)
 	# Unless specified otherwise, build without OpenSSL on Mac OS since
diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh
index 044c4d1292b1..e4480e614f31 100755
--- a/crypto/openssh/.github/setup_ci.sh
+++ b/crypto/openssh/.github/setup_ci.sh
@@ -139,16 +139,29 @@ if [ "yes" = "$INSTALL_FIDO_PPA" ]; then
     sudo apt-add-repository -y ppa:yubico/stable
 fi
 
-if [ "x" != "x$PACKAGES" ]; then
+tries=3
+while [ ! -z "$PACKAGES" ] && [ "$tries" -gt "0" ]; do
     case "$PACKAGER" in
     apt)
 	sudo apt update -qq
-	sudo apt install -qy $PACKAGES
+	if sudo apt install -qy $PACKAGES; then
+		PACKAGES=""
+	fi
 	;;
     setup)
-	/cygdrive/c/setup.exe -q -P `echo "$PACKAGES" | tr ' ' ,`
+	if /cygdrive/c/setup.exe -q -P `echo "$PACKAGES" | tr ' ' ,`; then
+		PACKAGES=""
+	fi
 	;;
     esac
+    if [ ! -z "$PACKAGES" ]; then
+	sleep 90
+    fi
+    tries=$(($tries - 1))
+done
+if [ ! -z "$PACKAGES" ]; then
+	echo "Package installation failed."
+	exit 1
 fi
 
 if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then
diff --git a/crypto/openssh/.github/workflows/c-cpp.yml b/crypto/openssh/.github/workflows/c-cpp.yml
index 3cd1188fc572..e6ea49550f71 100644
--- a/crypto/openssh/.github/workflows/c-cpp.yml
+++ b/crypto/openssh/.github/workflows/c-cpp.yml
@@ -2,11 +2,9 @@ name: C/C++ CI
 
 on:
   push:
-    branches: [ master, ci, V_9_0 ]
-    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', 'Makefile.in', 'configure.ac' ]
+    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
   pull_request:
-    branches: [ master ]
-    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', 'Makefile.in', 'configure.ac' ]
+    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
 
 jobs:
   ci:
@@ -15,104 +13,109 @@ jobs:
       fail-fast: false
       matrix:
         # First we test all OSes in the default configuration.
-        os: [ubuntu-20.04, ubuntu-22.04, macos-11, macos-12, windows-2019, windows-2022]
-        configs: [default]
+        target: [ubuntu-20.04, ubuntu-22.04, macos-11, macos-12, windows-2019, windows-2022]
+        config: [default]
         # Then we include any extra configs we want to test for specific VMs.
         # Valgrind slows things down quite a bit, so start them first.
         include:
-          - { os: windows-2019, configs: cygwin-release }
-          - { os: windows-2022, configs: cygwin-release }
-          - { os: ubuntu-20.04, configs: valgrind-1 }
-          - { os: ubuntu-20.04, configs: valgrind-2 }
-          - { os: ubuntu-20.04, configs: valgrind-3 }
-          - { os: ubuntu-20.04, configs: valgrind-4 }
-          - { os: ubuntu-20.04, configs: valgrind-unit }
-          - { os: ubuntu-20.04, configs: c89 }
-          - { os: ubuntu-20.04, configs: clang-6.0 }
-          - { os: ubuntu-20.04, configs: clang-8 }
-          - { os: ubuntu-20.04, configs: clang-9 }
-          - { os: ubuntu-20.04, configs: clang-10 }
-          - { os: ubuntu-20.04, configs: clang-11 }
-          - { os: ubuntu-20.04, configs: clang-12-Werror }
-          - { os: ubuntu-20.04, configs: clang-sanitize-address }
-          - { os: ubuntu-20.04, configs: clang-sanitize-undefined }
-          - { os: ubuntu-20.04, configs: gcc-sanitize-address }
-          - { os: ubuntu-20.04, configs: gcc-sanitize-undefined }
-          - { os: ubuntu-20.04, configs: gcc-7 }
-          - { os: ubuntu-20.04, configs: gcc-8 }
-          - { os: ubuntu-20.04, configs: gcc-10 }
-          - { os: ubuntu-20.04, configs: gcc-11-Werror }
-          - { os: ubuntu-20.04, configs: pam }
-          - { os: ubuntu-20.04, configs: kitchensink }
-          - { os: ubuntu-20.04, configs: hardenedmalloc }
-          - { os: ubuntu-20.04, configs: tcmalloc }
-          - { os: ubuntu-20.04, configs: musl }
-          - { os: ubuntu-latest, configs: libressl-master }
-          - { os: ubuntu-latest, configs: libressl-2.2.9 }
-          - { os: ubuntu-latest, configs: libressl-2.8.3 }
-          - { os: ubuntu-latest, configs: libressl-3.0.2 }
-          - { os: ubuntu-latest, configs: libressl-3.2.6 }
-          - { os: ubuntu-latest, configs: libressl-3.3.6 }
-          - { os: ubuntu-latest, configs: libressl-3.4.3 }
-          - { os: ubuntu-latest, configs: libressl-3.5.3 }
-          - { os: ubuntu-latest, configs: openssl-master }
-          - { os: ubuntu-latest, configs: openssl-noec }
-          - { os: ubuntu-latest, configs: openssl-1.0.1 }
-          - { os: ubuntu-latest, configs: openssl-1.0.1u }
-          - { os: ubuntu-latest, configs: openssl-1.0.2u }
-          - { os: ubuntu-latest, configs: openssl-1.1.0h }
-          - { os: ubuntu-latest, configs: openssl-1.1.1 }
-          - { os: ubuntu-latest, configs: openssl-1.1.1k }
-          - { os: ubuntu-latest, configs: openssl-1.1.1n }
-          - { os: ubuntu-latest, configs: openssl-1.1.1p }
-          - { os: ubuntu-latest, configs: openssl-3.0.0 }
-          - { os: ubuntu-latest, configs: openssl-3.0.5 }
-          - { os: ubuntu-latest, configs: openssl-1.1.1_stable } # stable branch
-          - { os: ubuntu-latest, configs: openssl-3.0 }          # stable branch
-          - { os: ubuntu-22.04, configs: pam }
-          - { os: ubuntu-22.04, configs: krb5 }
-          - { os: ubuntu-22.04, configs: heimdal }
-          - { os: ubuntu-22.04, configs: libedit }
-          - { os: ubuntu-22.04, configs: sk }
-          - { os: ubuntu-22.04, configs: selinux }
-          - { os: ubuntu-22.04, configs: kitchensink }
-          - { os: ubuntu-22.04, configs: without-openssl }
-          - { os: macos-11, configs: pam }
-          - { os: macos-12, configs: pam }
-    runs-on: ${{ matrix.os }}
+          - { target: windows-2019, config: cygwin-release }
+          - { target: windows-2022, config: cygwin-release }
+          - { target: ubuntu-20.04, config: valgrind-1 }
+          - { target: ubuntu-20.04, config: valgrind-2 }
+          - { target: ubuntu-20.04, config: valgrind-3 }
+          - { target: ubuntu-20.04, config: valgrind-4 }
+          - { target: ubuntu-20.04, config: valgrind-5 }
+          - { target: ubuntu-20.04, config: valgrind-unit }
+          - { target: ubuntu-20.04, config: c89 }
+          - { target: ubuntu-20.04, config: clang-6.0 }
+          - { target: ubuntu-20.04, config: clang-8 }
+          - { target: ubuntu-20.04, config: clang-9 }
+          - { target: ubuntu-20.04, config: clang-10 }
+          - { target: ubuntu-20.04, config: clang-11 }
+          - { target: ubuntu-20.04, config: clang-12-Werror }
+          - { target: ubuntu-20.04, config: clang-sanitize-address }
+          - { target: ubuntu-20.04, config: clang-sanitize-undefined }
+          - { target: ubuntu-20.04, config: gcc-sanitize-address }
+          - { target: ubuntu-20.04, config: gcc-sanitize-undefined }
+          - { target: ubuntu-20.04, config: gcc-7 }
+          - { target: ubuntu-20.04, config: gcc-8 }
+          - { target: ubuntu-20.04, config: gcc-10 }
+          - { target: ubuntu-20.04, config: gcc-11-Werror }
+          - { target: ubuntu-20.04, config: pam }
+          - { target: ubuntu-20.04, config: kitchensink }
+          - { target: ubuntu-20.04, config: hardenedmalloc }
+          - { target: ubuntu-20.04, config: tcmalloc }
+          - { target: ubuntu-20.04, config: musl }
+          - { target: ubuntu-latest, config: libressl-master }
+          - { target: ubuntu-latest, config: libressl-2.2.9 }
+          - { target: ubuntu-latest, config: libressl-2.8.3 }
+          - { target: ubuntu-latest, config: libressl-3.0.2 }
+          - { target: ubuntu-latest, config: libressl-3.2.6 }
+          - { target: ubuntu-latest, config: libressl-3.3.6 }
+          - { target: ubuntu-latest, config: libressl-3.4.3 }
+          - { target: ubuntu-latest, config: libressl-3.5.3 }
+          - { target: ubuntu-latest, config: libressl-3.6.1 }
+          - { target: ubuntu-latest, config: libressl-3.7.0 }
+          - { target: ubuntu-latest, config: openssl-master }
+          - { target: ubuntu-latest, config: openssl-noec }
+          - { target: ubuntu-latest, config: openssl-1.0.1 }
+          - { target: ubuntu-latest, config: openssl-1.0.1u }
+          - { target: ubuntu-latest, config: openssl-1.0.2u }
+          - { target: ubuntu-latest, config: openssl-1.1.0h }
+          - { target: ubuntu-latest, config: openssl-1.1.1 }
+          - { target: ubuntu-latest, config: openssl-1.1.1k }
+          - { target: ubuntu-latest, config: openssl-1.1.1n }
+          - { target: ubuntu-latest, config: openssl-1.1.1q }
+          - { target: ubuntu-latest, config: openssl-1.1.1s }
+          - { target: ubuntu-latest, config: openssl-3.0.0 }
+          - { target: ubuntu-latest, config: openssl-3.0.5 }
+          - { target: ubuntu-latest, config: openssl-3.0.7 }
+          - { target: ubuntu-latest, config: openssl-1.1.1_stable }
+          - { target: ubuntu-latest, config: openssl-3.0 }  # stable branch
+          - { target: ubuntu-22.04, config: pam }
+          - { target: ubuntu-22.04, config: krb5 }
+          - { target: ubuntu-22.04, config: heimdal }
+          - { target: ubuntu-22.04, config: libedit }
+          - { target: ubuntu-22.04, config: sk }
+          - { target: ubuntu-22.04, config: selinux }
+          - { target: ubuntu-22.04, config: kitchensink }
+          - { target: ubuntu-22.04, config: without-openssl }
+          - { target: macos-11, config: pam }
+          - { target: macos-12, config: pam }
+    runs-on: ${{ matrix.target }}
     steps:
     - name: set cygwin git params
-      if: ${{ startsWith(matrix.os, 'windows') }}
+      if: ${{ startsWith(matrix.target, 'windows') }}
       run: git config --global core.autocrlf input
     - name: install cygwin
-      if: ${{ startsWith(matrix.os, 'windows') }}
+      if: ${{ startsWith(matrix.target, 'windows') }}
       uses: cygwin/cygwin-install-action@master
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@main
     - name: setup CI system
-      run: sh ./.github/setup_ci.sh ${{ matrix.configs }}
+      run: sh ./.github/setup_ci.sh ${{ matrix.config }}
     - name: autoreconf
       run: sh -c autoreconf
     - name: configure
-      run: sh ./.github/configure.sh ${{ matrix.configs }}
+      run: sh ./.github/configure.sh ${{ matrix.config }}
     - name: save config
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@main
       with:
-        name: ${{ matrix.os }}-${{ matrix.configs }}-config
+        name: ${{ matrix.target }}-${{ matrix.config }}-config
         path: config.h
     - name: make clean
       run: make clean
     - name: make
       run: make -j2
     - name: make tests
-      run: sh ./.github/run_test.sh ${{ matrix.configs }}
+      run: sh ./.github/run_test.sh ${{ matrix.config }}
       env:
         TEST_SSH_UNSAFE_PERMISSIONS: 1
         TEST_SSH_HOSTBASED_AUTH: yes
     - name: save logs
       if: failure()
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@main
       with:
-        name: ${{ matrix.os }}-${{ matrix.configs }}-logs
+        name: ${{ matrix.target }}-${{ matrix.config }}-logs
         path: |
           config.h
           config.log
diff --git a/crypto/openssh/.github/workflows/cifuzz.yml b/crypto/openssh/.github/workflows/cifuzz.yml
new file mode 100644
index 000000000000..7ca8c4719b61
--- /dev/null
+++ b/crypto/openssh/.github/workflows/cifuzz.yml
@@ -0,0 +1,32 @@
+name: CIFuzz
+on:
+  push:
+    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
+  pull_request:
+    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
+
+jobs:
+  Fuzzing:
+    if: github.repository != 'openssh/openssh-portable-selfhosted'
+    runs-on: ubuntu-latest
+    steps:
+    - name: Build Fuzzers
+      id: build
+      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+      with:
+        oss-fuzz-project-name: 'openssh'
+        dry-run: false
+        language: c++
+    - name: Run Fuzzers
+      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+      with:
+        oss-fuzz-project-name: 'openssh'
+        fuzz-seconds: 600
+        dry-run: false
+        language: c++
+    - name: Upload Crash
+      uses: actions/upload-artifact@main
+      if: failure() && steps.build.outcome == 'success'
+      with:
+        name: artifacts
+        path: ./out/artifacts
diff --git a/crypto/openssh/.github/workflows/selfhosted.yml b/crypto/openssh/.github/workflows/selfhosted.yml
index c4bd1d9b24f7..50bc9fffb723 100644
--- a/crypto/openssh/.github/workflows/selfhosted.yml
+++ b/crypto/openssh/.github/workflows/selfhosted.yml
@@ -2,37 +2,35 @@ name: C/C++ CI self-hosted
 
 on:
   push:
-    branches: [ master, ci, V_9_0 ]
-    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', 'Makefile.in', 'configure.ac' ]
+    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
 
 jobs:
   selfhosted:
     if: github.repository == 'openssh/openssh-portable-selfhosted'
-    runs-on: ${{ matrix.os }}
+    runs-on: ${{ matrix.host }}
+    timeout-minutes: 600
     env:
-      TARGET_HOST: ${{ matrix.os }}
+      HOST: ${{ matrix.host }}
+      TARGET_HOST: ${{ matrix.target }}
+      TARGET_CONFIG: ${{ matrix.config }}
     strategy:
       fail-fast: false
       # We use a matrix in two parts: firstly all of the VMs are tested with the
-      # default config.  "os" corresponds to a label associated with the worker.
+      # default config.  "target" corresponds to a label associated with the
+      # worker.  The default is an ephemeral VM running under libvirt.
       matrix:
-        os:
-          - aix51
-          - ARM
-          - ARM64
+        target:
           - alpine
           - debian-i386
-          - debian-riscv64
           - dfly30
           - dfly48
           - dfly58
           - dfly60
+          - dfly62
           - fbsd10
           - fbsd12
           - fbsd13
-          # - hurd
           - minix3
-          # - nbsd2
           - nbsd3
           - nbsd4
           - nbsd8
@@ -42,62 +40,71 @@ jobs:
           - obsd69
           - obsd70
           - obsdsnap
+          - obsdsnap-i386
           - openindiana
-          - openwrt-mips
-          - openwrt-mipsel
-          # - rocky84
           - sol10
           - sol11
-          - win10
-        configs:
+        config:
           - default
-        # Then we include any extra configs we want to test for specific VMs.
+        host:
+          - libvirt
         include:
-          - { os: ARM64,  configs: pam }
-          - { os: debian-i386, configs: pam }
-          - { os: dfly30, configs: without-openssl}
-          - { os: dfly48, configs: pam }
-          - { os: dfly58, configs: pam }
-          - { os: dfly60, configs: pam }
-          - { os: fbsd10, configs: pam }
-          - { os: fbsd12, configs: pam }
-          - { os: fbsd13, configs: pam }
-          - { os: nbsd8,  configs: pam }
-          - { os: nbsd9,  configs: pam }
-          - { os: openindiana, configs: pam }
-          # - { os: rocky84, configs: pam }
-          - { os: sol10,  configs: pam }
-          - { os: sol11,  configs: pam-krb5 }
-          - { os: sol11,  configs: sol64 }
-          # - { os: sol11,  configs: sol64-pam }
-          - { os: win10,  configs: cygwin-release }
+          # Then we include extra libvirt test configs.
+          - { target: aix51, config: default, host: libvirt }
+          - { target: debian-i386, config: pam, host: libvirt }
+          - { target: dfly30, config: without-openssl, host: libvirt}
+          - { target: dfly48, config: pam ,host: libvirt }
+          - { target: dfly58, config: pam, host: libvirt }
+          - { target: dfly60, config: pam, host: libvirt }
+          - { target: dfly62, config: pam, host: libvirt }
+          - { target: fbsd10, config: pam, host: libvirt }
+          - { target: fbsd12, config: pam, host: libvirt }
+          - { target: fbsd13, config: pam, host: libvirt }
+          - { target: nbsd8,  config: pam, host: libvirt }
+          - { target: nbsd9,  config: pam, host: libvirt }
+          - { target: openindiana, config: pam, host: libvirt }
+          - { target: sol10,  config: pam, host: libvirt }
+          - { target: sol11,  config: pam-krb5, host: libvirt }
+          - { target: sol11,  config: sol64, host: libvirt }
+          # VMs with persistent disks that have their own runner.
+          - { target: win10, config: default, host: win10 }
+          - { target: win10, config: cygwin-release, host: win10 }
+          # Physical hosts, with either native runners or remote via ssh.
+          - { target: ARM, config: default, host: ARM }
+          - { target: ARM64, config: default, host: ARM64 }
+          - { target: ARM64, config: pam, host: ARM64 }
+          - { target: debian-riscv64, config: default, host: debian-riscv64 }
+          - { target: openwrt-mips, config: default, host: openwrt-mips }
+          - { target: openwrt-mipsel, config: default, host: openwrt-mipsel }
     steps:
     - name: shutdown VM if running
       run: vmshutdown
-    - uses: actions/checkout@v2
+      working-directory: ${{ runner.temp }}
+    - uses: actions/checkout@main
     - name: autoreconf
       run: autoreconf
     - name: startup VM
       run: vmstartup
+      working-directory: ${{ runner.temp }}
     - name: configure
-      run: vmrun ./.github/configure.sh ${{ matrix.configs }}
+      run: vmrun ./.github/configure.sh ${{ matrix.config }}
     - name: save config
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@main
       with:
-        name: ${{ matrix.os }}-${{ matrix.configs }}-config
+        name: ${{ matrix.target }}-${{ matrix.config }}-config
         path: config.h
     - name: make clean
       run: vmrun make clean
     - name: make
       run: vmrun make
     - name: make tests
-      run: vmrun ./.github/run_test.sh ${{ matrix.configs }}
+      run: vmrun ./.github/run_test.sh ${{ matrix.config }}
       timeout-minutes: 600
     - name: save logs
       if: failure()
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@main
       with:
-        name: ${{ matrix.os }}-${{ matrix.configs }}-logs
+        name: ${{ matrix.target }}-${{ matrix.config }}-logs
         path: |
           config.h
           config.log
@@ -106,3 +113,4 @@ jobs:
     - name: shutdown VM
       if: always()
       run: vmshutdown
+      working-directory: ${{ runner.temp }}
diff --git a/crypto/openssh/.github/workflows/upstream.yml b/crypto/openssh/.github/workflows/upstream.yml
index 3cec069ede74..1e2c2acb7ac0 100644
--- a/crypto/openssh/.github/workflows/upstream.yml
+++ b/crypto/openssh/.github/workflows/upstream.yml
@@ -2,46 +2,51 @@ name: Upstream self-hosted
 
 on:
   push:
-    branches: [ master, ci ]
+    branches: [ master ]
     paths: [ '**.c', '**.h', '.github/**' ]
 
 jobs:
   selfhosted:
     if: github.repository == 'openssh/openssh-portable-selfhosted'
-    runs-on: ${{ matrix.os }}
+    runs-on: 'libvirt'
     env:
-      TARGET_HOST: ${{ matrix.os }}
+      HOST: 'libvirt'
+      TARGET_HOST: ${{ matrix.target }}
+      TARGET_CONFIG: ${{ matrix.config }}
     strategy:
       fail-fast: false
       matrix:
-        os: [ obsdsnap, obsdsnap-i386 ]
-        configs: [ default, without-openssl, ubsan ]
+        target: [ obsdsnap, obsdsnap-i386 ]
+        config: [ default, without-openssl, ubsan ]
     steps:
-    - uses: actions/checkout@v2
     - name: shutdown VM if running
       run: vmshutdown
+      working-directory: ${{ runner.temp }}
+    - uses: actions/checkout@main
     - name: startup VM
       run: vmstartup
+      working-directory: ${{ runner.temp }}
     - name: update source
       run: vmrun "cd /usr/src && cvs up -dPA usr.bin/ssh regress/usr.bin/ssh"
     - name: make clean
-      run: vmrun "cd /usr/src/usr.bin/ssh && make obj && make clean && cd /usr/src/regress/usr.bin/ssh && make obj && make clean"
+      run: vmrun "cd /usr/src/usr.bin/ssh && make obj && make clean && cd /usr/src/regress/usr.bin/ssh && make obj && make clean && sudo chmod -R g-w /usr/src /usr/obj"
     - name: make
-      run: vmrun "cd /usr/src/usr.bin/ssh && case ${{ matrix.configs }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac"
+      run: vmrun "cd /usr/src/usr.bin/ssh && case ${{ matrix.config }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac"
     - name: make install
       run: vmrun "cd /usr/src/usr.bin/ssh && sudo make install"
     - name: make tests`
-      run: vmrun "cd /usr/src/regress/usr.bin/ssh && case ${{ matrix.configs }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac"
+      run: vmrun "cd /usr/src/regress/usr.bin/ssh && case ${{ matrix.config }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac"
       env:
         SUDO: sudo
       timeout-minutes: 300
     - name: save logs
       if: failure()
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@main
       with:
-        name: ${{ matrix.os }}-${{ matrix.configs }}-logs
+        name: ${{ matrix.target }}-${{ matrix.config }}-logs
         path: |
-          /usr/obj/regress/usr.bin/ssh/*.log
+          /usr/obj/regress/usr.bin/ssh/obj/*.log
     - name: shutdown VM
       if: always()
       run: vmshutdown
+      working-directory: ${{ runner.temp }}
diff --git a/crypto/openssh/.skipped-commit-ids b/crypto/openssh/.skipped-commit-ids
index b639678939dd..59e80518acf2 100644
--- a/crypto/openssh/.skipped-commit-ids
+++ b/crypto/openssh/.skipped-commit-ids
@@ -25,6 +25,8 @@ cc12a9029833d222043aecd252d654965c351a69	moduli-gen Makefile
 7ac6c252d2a5be8fbad4c66d9d35db507c9dac5b	moduli update
 6b52cd2b637f3d29ef543f0ce532a2bce6d86af5	makefile change
 f9a0726d957cf10692a231996a1f34e7f9cdfeb0	moduli update
+1e0a2692b7e20b126dda60bf04999d1d30d959d8	sshd relinking makefile changes
+e1dc11143f83082e3154d6094f9136d0dc2637ad	more relinking makefile tweaks
 
 Old upstream tree:
 
diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog
index 02e11b023ca0..4251831a1732 100644
--- a/crypto/openssh/ChangeLog
+++ b/crypto/openssh/ChangeLog
@@ -1,11314 +1,11196 @@
-commit 0ffb46f2ee2ffcc4daf45ee679e484da8fcf338c
+commit 6dfb65de949cdd0a5d198edee9a118f265924f33
 Author: Damien Miller <djm@mindrot.org>
-Date:   Tue Oct 4 01:51:42 2022 +1100
+Date:   Thu Feb 2 23:21:54 2023 +1100
 
-    update .depend
+    crank versions in RPM specs
 
-commit 657e676ff696c7bb787bffb0e249ea1be3b474e1
+commit d07cfb11a0ca574eb68a3931d8c46fbe862a2021
 Author: Damien Miller <djm@mindrot.org>
-Date:   Tue Oct 4 01:45:52 2022 +1100
+Date:   Thu Feb 2 23:21:45 2023 +1100
 
-    update release notes URL
+    update version in README
 
-commit f059da2b29840c0f048448809c317ce2ae014da7
+commit 9fe207565b4ab0fe5d1ac5bb85e39188d96fb214
 Author: Damien Miller <djm@mindrot.org>
-Date:   Tue Oct 4 01:45:41 2022 +1100
+Date:   Thu Feb 2 23:17:49 2023 +1100
 
-    crank versions in RPM spec files
+    adapt compat_kex_proposal() test to portable
 
-commit b51f3f172d87cbdb80ca4eb7b2149e56a7647557
+commit 903c556b938fff2d7bff8da2cc460254430963c5
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Sep 26 22:18:40 2022 +0000
+Date:   Thu Feb 2 12:12:52 2023 +0000
 
-    upstream: openssh-9.1
+    upstream: test compat_kex_proposal(); by dtucker@
     
-    OpenBSD-Commit-ID: 5a467b2ee81da01a86adf1ad93b62b1728494e56
+    OpenBSD-Regress-ID: 0e404ee264db546f9fdbf53390689ab5f8d38bf2
 
-commit 4cf8d0c0f3030f594a238bab21a0695735515487
+commit 405fba71962dec8409c0c962408e09049e5624b5
 Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Wed Sep 21 22:26:50 2022 +0000
+Date:   Thu Jan 19 07:53:45 2023 +0000
 
-    upstream: Fix typo. From AlexanderStohr via github PR#343.
+    upstream: Check if we can copy sshd or need to use sudo to do so
     
-    OpenBSD-Commit-ID: a134c9b4039e48803fc6a87f955b0f4a03181497
+    during reexec test. Skip test if neither can work.  Patch from anton@, tweaks
+    from me.
+    
+    OpenBSD-Regress-ID: 731b96ae74d02d5744e1f1a8e51d09877ffd9b6d
 
-commit 8179fed3264d5919899900ed8881d5f9bb57ca33
+commit b2a2a8f69fd7737ea17dc044353c514f2f962f35
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Sep 19 21:39:16 2022 +0000
+Date:   Thu Feb 2 12:10:22 2023 +0000
 
-    upstream: add RequiredRSASize to the list of keywords accepted by
+    upstream: openssh-9.2
     
-    -o; spotted by jmc@
+    OpenBSD-Commit-ID: f7389f32413c74d6e2055f05cf65e7082de03923
+
+commit 12da7823336434a403f25c7cc0c2c6aed0737a35
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Feb 2 12:10:05 2023 +0000
+
+    upstream: fix double-free caused by compat_kex_proposal(); bz3522
     
-    OpenBSD-Commit-ID: fe871408cf6f9d3699afeda876f8adbac86a035e
+    by dtucker@, ok me
+    
+    OpenBSD-Commit-ID: 2bfc37cd2d41f67dad64c17a64cf2cd3806a5c80
 
-commit 5f954929e9f173dd1e279e07d0e8b14fa845814d
-Author: Damien Miller <djm@mindrot.org>
-Date:   Mon Sep 19 20:59:34 2022 +1000
+commit 79efd95ab5ff99f4cb3a955e2d713b3f54fb807e
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Wed Feb 1 17:17:26 2023 +1100
 
-    no need for glob.h here
+    Skip connection-timeout test on minix3.
     
-    it also causes portability problems
+    Minix 3's Unix domain sockets don't seem to work the way we expect, so
+    skip connection-timeout test on that platform.  While there, group
+    together all similarly skipped tests and explicitly comment.
 
-commit 03d94a47207d58b3db37eba4f87eb6ae5a63168a
+commit 6b508c4e039619842bcf5a16f8a6b08dd6bec44a
*** 38721 LINES SKIPPED ***