net-misc/openssh: Sync with Gentoo

It's from Gentoo commit 591c528cc536c3e28daaf6356084d356c5e82eec.
2025-09-30 18:12:08 +02:00 · 2022-11-02 14:47:54 +01:00 · 2022-11-02 14:47:54 +01:00 · 8d0734b440
commit 8d0734b440
parent a8467c41ec
15 changed files with 238 additions and 845 deletions
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest
@ -1,6 +1,7 @@
-DIST openssh-8.8p1+x509-13.2.3.diff.gz 1071138 BLAKE2B dfbe53ccfdfe0a3da9bac927c5bb0ccfeb20f1ba69cef2ffb52999e6f6b0a3282e28a888aab40096fe9eed819f4c9b27592a8771d786580b8fa4f507f6b02557 SHA512 e55e9cdcde1b02b2799600083db8c3b85d207b251b99b4efabe8614bedf1daae28e5ed10cbe1f6a2e5ba766fe1eaf41be9e90fefdaae1352808c504fc0f4e7e6
+DIST openssh-9.1_p1-X509-glue-13.5.patch.xz 1092 BLAKE2B 19da945547472048d01a6ec26f28cba11afe1a0590a115582d1e21a852b6b66589b091ab4440d57952200522318aeffb7d9404e53f9532ae80e47685c24c4097 SHA512 96de9f59bacfd99aa9ef03362d55d88b3eea0acc57a11fb72e5c612bfb0f5e48455b0a0d0add9a8a5524b9d4701f47db1ff7859f1d3c2a12947b27292961cbd5
-DIST openssh-8.8p1-sctp-1.2.patch.xz 6744 BLAKE2B 9f99e0abfbfbda2cc1c7c2a465d044c900da862e5a38f01260f388ac089b2e66c5ea7664d71d18b924552ae177e5893cdcbfbccc20eeb3aaeae00b3d552379e3 SHA512 5290c5ef08a418dcc9260812d8e75ce266e22e2258514f11da6fb178e0ae2ef16046523f72a50f74ae7b98e7eb52d16143befc8ce2919041382d314aa05adda0
+DIST openssh-9.1_p1-hpn-15.2-X509-glue.patch.xz 5504 BLAKE2B 776b467ddde16e268536c5632b028a32db22b26d7bc11e2a9fa6c8e29528be3eb781066d6b30fb2f561a73a24c34a29963fcd7c872aa92dc19d715d8ffbf2cbe SHA512 aa753da5f75d90165f5922ead1dd495a15a4c581360d5862ec6f802caea54055da8e308c1919efa8e78b31a7ea082f8693dda0ab84ccee414c562ec062c50fb1
-DIST openssh-8.8p1.tar.gz 1815060 BLAKE2B 3a054ce19781aceca5ab1a0839d7435d88aff4481e8c74b91ffd2046dc8b6f03d6bf584ecda066c0496acf43cea9ab4085f26a29e34e20736e752f204b8c76c3 SHA512 d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df
+DIST openssh-9.1_p1-hpn-15.2-glue.patch.xz 3840 BLAKE2B 06fb14d8c6f52f1c6fae7971fc4da810c814d7b52063f8cc7e83356baa7ed70c84476c1d1cc896eba6d0d51813dc994e3c82278e66c04998431c8123a09fe7df SHA512 99c88c08fb384336a9680629bc04a89121780d64ee8b03ac164c4e446cc30b865004292e98516b6f857bd75e1b4393291427c046ffcabc1578629e6075636cbf
-DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
+DIST openssh-9.1p1+x509-13.5.diff.gz 1213948 BLAKE2B 5663a1c865c80f590642bb855f7d7a17e71e0db099deb4cea5750cfe734bd506b70a1b266fccc2a58174ae2b1b96a7f1ced56382d5d7e741b07e46422b03f7e6 SHA512 70a1f12e98b8fa8170c208803ee482aea2fcf6b9e41ecada5fabaa0288ed5a32574f42a7b50718bb484978f3c65f50e55966c9f555a9de100dc8d695b9aec531
-DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
+DIST openssh-9.1p1-sctp-1.2.patch.xz 6772 BLAKE2B 8393c1ca5f0df7e4d490cef5c38d50d45da83a9c3f650e9af15d95825f9e682a6aaf6a0e85fc1704d41d6567aec8f0b34e43b20652e0141008ccdbe91426dfac SHA512 6750394d0fb7b7f93a0e4f94204e53277cc341c5b2427130559e443557dbb95f2e85a71cfe8d40cfa17dd015b0f3880f79a1f868374e60e94e8385c9b45acec5
-DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
+DIST openssh-9.1p1.tar.gz 1838747 BLAKE2B 287b6b1cc4858b27af88f4a4674670afff1fb5b99461892083393c53ef3747c5a0fcd90cba95d2c27465a919e00f7f42732c93af4f306665ba0393bbb7a534f5 SHA512 a1f02c407f6b621b1d0817d1a0c9a6839b67e416c84f3b76c63003b119035b24c19a1564b22691d1152e1d2d55f4dc7eb1af2d2318751e431a99c4efa77edc70
 DIST openssh-9.1p1.tar.gz.asc 833 BLAKE2B 83efe3c705f6a02c25a9fc9bac2a4efd77470598d9e0fcb86dff2d265c58cffec1afecad3621769b2bd78ac25884f0ee20ae9b311e895db93e3bb552dffd6e74 SHA512 47dc7295f9694250bcbb86d7ca0830a47da4f3df7795bb05ebaf1590284ccce5317022c536bea1b09bd2fa4d8013295cc0de287ebe3f9dc605582077e9f11ddd
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
@ -1,18 +0,0 @@
 diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
 --- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-16 10:06:45.020527770 -0700
 +++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-03-16 10:07:01.294423665 -0700
@@ -1414,14 +1414,3 @@
  # Example of overriding settings on a per-user basis
  #Match User anoncvs
  #	X11Forwarding no
 -diff --git a/version.h b/version.h
 -index 6b4fa372..332fb486 100644
 ---- a/version.h
 -+++ b/version.h
 -@@ -3,4 +3,5 @@
 - #define SSH_VERSION	"OpenSSH_8.5"
 - 
 - #define SSH_PORTABLE	"p1"
 --#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
 -+#define SSH_HPN         "-hpn15v2"
 -+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch
@ -1,13 +0,0 @@
 diff --git a/kex.c b/kex.c
 index 34808b5c..88d7ccac 100644
 --- a/kex.c
 +++ b/kex.c
@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
 	if (version_addendum != NULL && *version_addendum == '\0')
 		version_addendum = NULL;
 	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
 -	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
 +	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
 	    version_addendum == NULL ? "" : " ",
 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
 		oerrno = errno;
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch
@ -1,447 +0,0 @@
 diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
 --- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-08-31 11:12:46.412119817 -0700
 +++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-08-31 11:26:11.116026151 -0700
@@ -3,9 +3,9 @@
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
 - CFLAGS_NOPIE=@CFLAGS_NOPIE@
 - CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 - PICFLAG=@PICFLAG@
 + LD=@LD@
 + CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
 + CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
 -LIBS=@LIBS@
 +LIBS=@LIBS@ -lpthread
  K5LIBS=@K5LIBS@
@@ -803,8 +803,8 @@
  ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
  {
  	struct session_state *state;
 --	const struct sshcipher *none = cipher_by_name("none");
 -+	struct sshcipher *none = cipher_by_name("none");
 +-	const struct sshcipher *none = cipher_none();
 ++	struct sshcipher *none = cipher_none();
  	int r;
  	if (none == NULL) {
@@ -894,24 +894,24 @@
  		intptr = &options->compression;
  		multistate_ptr = multistate_compression;
 @@ -2272,6 +2278,7 @@ initialize_options(Options * options)
 - 	options->revoked_host_keys = NULL;
  	options->fingerprint_hash = -1;
  	options->update_hostkeys = -1;
 +	options->known_hosts_command = NULL;
 +	options->disable_multithreaded = -1;
 - 	options->hostbased_accepted_algos = NULL;
 - 	options->pubkey_accepted_algos = NULL;
 - 	options->known_hosts_command = NULL;
 + }
 + 
 + /*
 @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
 + 		options->update_hostkeys = 0;
  	if (options->sk_provider == NULL)
  		options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
 - #endif
 +	if (options->update_hostkeys == -1)
 +		options->update_hostkeys = 0;
 +	if (options->disable_multithreaded == -1)
 +		options->disable_multithreaded = 0;
 - 	/* Expand KEX name lists */
 - 	all_cipher = cipher_alg_list(',', 0);
 + 	/* expand KEX and etc. name lists */
 + {	char *all;
 diff --git a/readconf.h b/readconf.h
 index 2fba866e..7f8f0227 100644
 --- a/readconf.h
@@ -950,9 +950,9 @@
  	/* Portable-specific options */
  	sUsePAM,
 +	sDisableMTAES,
 - 	/* Standard Options */
 - 	sPort, sHostKeyFile, sLoginGraceTime,
 - 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
 + 	/* X.509 Standard Options */
 + 	sHostbasedAlgorithms,
 + 	sPubkeyAlgorithms,
 @@ -662,6 +666,7 @@ static struct {
  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
  	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
 diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
 --- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-08-31 11:12:46.412119817 -0700
 +++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-08-31 14:17:59.366248683 -0700
@@ -157,6 +157,36 @@
 +	 Allan Jude provided the code for the NoneMac and buffer normalization.
 +         This work was financed, in part, by Cisco System, Inc., the National
 +         Library of Medicine, and the National Science Foundation.
 +diff --git a/auth2.c b/auth2.c
 +--- a/auth2.c	2021-03-15 19:30:45.404060786 -0700
 ++++ b/auth2.c	2021-03-15 19:37:22.078476597 -0700
 +@@ -229,16 +229,17 @@
 + 	double delay;
 + 
 + 	digest_alg = ssh_digest_maxbytes();
 +-	len = ssh_digest_bytes(digest_alg);
 +-	hash = xmalloc(len);
 ++	if (len = ssh_digest_bytes(digest_alg) > 0) {
 ++		hash = xmalloc(len);
 + 
 +-	(void)snprintf(b, sizeof b, "%llu%s",
 +-	    (unsigned long long)options.timing_secret, user);
 +-	if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
 +-		fatal_f("ssh_digest_memory");
 +-	/* 0-4.2 ms of delay */
 +-	delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
 +-	freezero(hash, len);
 ++		(void)snprintf(b, sizeof b, "%llu%s",
 ++		    (unsigned long long)options.timing_secret, user);
 ++		if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
 ++			fatal_f("ssh_digest_memory");
 ++		/* 0-4.2 ms of delay */
 ++		delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
 ++		freezero(hash, len);
 ++	}
 + 	debug3_f("user specific delay %0.3lfms", delay/1000);
 + 	return MIN_FAIL_DELAY_SECONDS + delay;
 + }
 diff --git a/channels.c b/channels.c
 index b60d56c4..0e363c15 100644
 --- a/channels.c
@@ -209,14 +239,14 @@
  static void
  channel_pre_open(struct ssh *ssh, Channel *c,
      fd_set *readset, fd_set *writeset)
 -@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
 +@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
  	if (c->type == SSH_CHANNEL_OPEN &&
  	    !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
 -	    ((c->local_window_max - c->local_window >
 -	    c->local_maxpacket*3) ||
 -+            ((ssh_packet_is_interactive(ssh) &&
 -+            c->local_window_max - c->local_window > c->local_maxpacket*3) ||
 ++	    ((ssh_packet_is_interactive(ssh) &&
 ++	    c->local_window_max - c->local_window > c->local_maxpacket*3) ||
  	    c->local_window < c->local_window_max/2) &&
  	    c->local_consumed > 0) {
 +		u_int addition = 0;
@@ -235,9 +265,8 @@
  		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
 -		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
 +		    (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
 - 		    (r = sshpkt_send(ssh)) != 0) {
 - 			fatal_fr(r, "channel %i", c->self);
 - 		}
 + 		    (r = sshpkt_send(ssh)) != 0)
 + 			fatal_fr(r, "channel %d", c->self);
 -		debug2("channel %d: window %d sent adjust %d", c->self,
 -		    c->local_window, c->local_consumed);
 -		c->local_window += c->local_consumed;
@@ -337,70 +366,92 @@
 index 70f492f8..5503af1d 100644
 --- a/clientloop.c
 +++ b/clientloop.c
 -@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
 +@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
  	sock = x11_connect_display(ssh);
  	if (sock < 0)
  		return NULL;
 -	c = channel_new(ssh, "x11",
 -	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
 --	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
 -+        c = channel_new(ssh, "x11",
 -+			SSH_CHANNEL_X11_OPEN, sock, sock, -1,
 -+			/* again is this really necessary for X11? */
 -+			options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
 -+			CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
 +-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11",
 +-	    CHANNEL_NONBLOCK_SET);
 ++	c = channel_new(ssh, "x11",
 ++	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
 ++	    /* again is this really necessary for X11? */
 ++	    options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
 ++	    CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET);
  	c->force_drain = 1;
  	return c;
  }
 -@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
 +@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
  		return NULL;
  	}
  	c = channel_new(ssh, "authentication agent connection",
 -	    SSH_CHANNEL_OPEN, sock, sock, -1,
 -	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
 --	    "authentication agent connection", 1);
 -+			SSH_CHANNEL_OPEN, sock, sock, -1,
 -+			options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
 -+			CHAN_TCP_PACKET_DEFAULT, 0,
 -+			"authentication agent connection", 1);
 +-	    "authentication agent connection", CHANNEL_NONBLOCK_SET);
 ++	    SSH_CHANNEL_OPEN, sock, sock, -1,
 ++	    options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
 ++	    CHAN_TCP_PACKET_DEFAULT, 0,
 ++	    "authentication agent connection", CHANNEL_NONBLOCK_SET);
  	c->force_drain = 1;
  	return c;
  }
 -@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
 +@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
  	}
  	debug("Tunnel forwarding using interface %s", ifname);
 -	c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
 --	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 -+        c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
 +-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun",
 +-	    CHANNEL_NONBLOCK_SET);
 ++	c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
 +	    options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
 -+	    CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 ++	    CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET);
  	c->datagram = 1;
 -+
 -+
  #if defined(SSH_TUN_FILTER)
 - 	if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
 - 		channel_register_filter(ssh, c->self, sys_tun_infilter,
 diff --git a/compat.c b/compat.c
 index 69befa96..90b5f338 100644
 --- a/compat.c
 +++ b/compat.c
 -@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
 - 			debug_f("match: %s pat %s compat 0x%08x",
 +@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
 + static u_int
 + compat_datafellows(const char *version)
 + {
 +-	int i;
 ++	int i, bugs = 0;
 + 	static struct {
 + 		char	*pat;
 + 		int	bugs;
 +@@ -147,11 +147,26 @@
 + 		if (match_pattern_list(version, check[i].pat, 0) == 1) {
 + 			debug("match: %s pat %s compat 0x%08x",
  			    version, check[i].pat, check[i].bugs);
 - 			ssh->compat = check[i].bugs;
 +			/* Check to see if the remote side is OpenSSH and not HPN */
 -+			/* TODO: need to use new method to test for this */
 +			if (strstr(version, "OpenSSH") != NULL) {
 +				if (strstr(version, "hpn") == NULL) {
 -+					ssh->compat |= SSH_BUG_LARGEWINDOW;
 ++					bugs |= SSH_BUG_LARGEWINDOW;
 +					debug("Remote is NON-HPN aware");
 +				}
 +			}
 - 			return;
 +-			return check[i].bugs;
 ++			bugs |= check[i].bugs;
  		}
  	}
 +-	debug("no match: %s", version);
 +-	return 0;
 ++	/* Check to see if the remote side is OpenSSH and not HPN */
 ++	if (strstr(version, "OpenSSH") != NULL) {
 ++		if (strstr(version, "hpn") == NULL) {
 ++			bugs |= SSH_BUG_LARGEWINDOW;
 ++			debug("Remote is NON-HPN aware");
 ++		}
 ++	}
 ++	if (bugs == 0)
 ++		debug("no match: %s", version);
 ++	return bugs;
 + }
 + 
 + char *
 diff --git a/compat.h b/compat.h
 index c197fafc..ea2e17a7 100644
 --- a/compat.h
@@ -459,7 +510,7 @@
 @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
  	int nenc, nmac, ncomp;
  	u_int mode, ctos, need, dh_need, authlen;
 - 	int r, first_kex_follows;
 + 	int r, first_kex_follows = 0;
 +	int auth_flag = 0;
 +
 +	auth_flag = packet_authentication_state(ssh);
@@ -553,7 +604,7 @@
  #define MAX_PACKETS	(1U<<31)
  static int
  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
 -@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
 +@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
  	struct session_state *state = ssh->state;
  	int len, r, ms_remain;
  	fd_set *setp;
@@ -1035,19 +1086,6 @@
  /* Minimum amount of data to read at a time */
  #define MIN_READ_SIZE	512
 -diff --git a/ssh-keygen.c b/ssh-keygen.c
 -index cfb5f115..36a6e519 100644
 ---- a/ssh-keygen.c
 -+++ b/ssh-keygen.c
 -@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
 - 			freezero(pin, strlen(pin));
 - 		error_r(r, "Unable to load resident keys");
 - 		return -1;
 --	}
 -+ 	}
 - 	if (nkeys == 0)
 - 		logit("No keys to download");
 - 	if (pin != NULL)
 diff --git a/ssh.c b/ssh.c
 index 53330da5..27b9770e 100644
 --- a/ssh.c
@@ -1093,7 +1131,7 @@
 +	else
 +		options.hpn_buffer_size = 2 * 1024 * 1024;
 +
 -+	if (ssh->compat & SSH_BUG_LARGEWINDOW) {
 ++	if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
 +		debug("HPN to Non-HPN Connection");
 +	} else {
 +		int sock, socksize;
@@ -1157,14 +1195,14 @@
  	}
 @@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh)
  	    window, packetmax, CHAN_EXTENDED_WRITE,
 - 	    "client-session", /*nonblock*/0);
 + 	    "client-session", CHANNEL_NONBLOCK_STDIO);
 +	if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) {
 +		c->dynamic_window = 1;
 +		debug("Enabled Dynamic Window Scaling");
 +	}
 +
 - 	debug3_f("channel_new: %d", c->self);
 + 	debug2_f("channel %d", c->self);
  	channel_send_open(ssh, c->self);
 @@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo)
@@ -1335,7 +1373,29 @@
  		/* Bind the socket to the desired port. */
  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
  			error("Bind to port %s on %s failed: %.200s.",
 -@@ -1727,6 +1734,19 @@ main(int ac, char **av)
 +@@ -1625,13 +1632,14 @@
 + 		if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
 + 		    sshbuf_len(server_cfg)) != 0)
 + 			fatal_f("ssh_digest_update");
 +-		len = ssh_digest_bytes(digest_alg);
 +-		hash = xmalloc(len);
 +-		if (ssh_digest_final(ctx, hash, len) != 0)
 +-			fatal_f("ssh_digest_final");
 +-		options.timing_secret = PEEK_U64(hash);
 +-		freezero(hash, len);
 +-		ssh_digest_free(ctx);
 ++		if ((len = ssh_digest_bytes(digest_alg)) > 0) {
 ++			hash = xmalloc(len);
 ++			if (ssh_digest_final(ctx, hash, len) != 0)
 ++				fatal_f("ssh_digest_final");
 ++			options.timing_secret = PEEK_U64(hash);
 ++			freezero(hash, len);
 ++			ssh_digest_free(ctx);
 ++		}
 + 		ctx = NULL;
 + 		return;
 + 	}
 +@@ -1727,6 +1735,19 @@ main(int ac, char **av)
  		fatal("AuthorizedPrincipalsCommand set without "
  		    "AuthorizedPrincipalsCommandUser");
@@ -1355,7 +1415,7 @@
  	/*
  	 * Check whether there is any path through configured auth methods.
  	 * Unfortunately it is not possible to verify this generally before
 -@@ -2166,6 +2186,9 @@ main(int ac, char **av)
 +@@ -2166,6 +2187,9 @@ main(int ac, char **av)
  	    rdomain == NULL ? "" : "\"");
  	free(laddr);
@@ -1365,7 +1425,7 @@
  	/*
  	 * We don't want to listen forever unless the other side
  	 * successfully authenticates itself.  So we set up an alarm which is
 -@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
 +@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
  	struct kex *kex;
  	int r;
@@ -1405,14 +1465,3 @@
  # Example of overriding settings on a per-user basis
  #Match User anoncvs
  #	X11Forwarding no
 -diff --git a/version.h b/version.h
 -index 6b4fa372..332fb486 100644
 ---- a/version.h
 -+++ b/version.h
 -@@ -3,4 +3,5 @@
 - #define SSH_VERSION	"OpenSSH_8.5"
 - 
 - #define SSH_PORTABLE	"p1"
 --#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
 -+#define SSH_HPN         "-hpn15v2"
 -+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
 diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
 --- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2021-08-31 11:12:16.778011216 -0700
 +++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff	2021-08-31 11:13:11.573211934 -0700
@@ -12,9 +12,9 @@
  static long stalled;		/* how long we have been stalled */
  static int bytes_per_second;	/* current speed in bytes per second */
 @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
 + 	off_t bytes_left;
  	int cur_speed;
 - 	int hours, minutes, seconds;
 - 	int file_len;
 + 	int len;
 +	off_t delta_pos;
  	if ((!force_update && !alarm_fired && !win_resized) || !can_output())
@@ -30,15 +30,17 @@
  	if (bytes_left > 0)
  		elapsed = now - last_update;
  	else {
 -@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
 - 
 +@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
 + 	buf[1] = '\0';
 +
  	/* filename */
 - 	buf[0] = '\0';
 --	file_len = win_size - 36;
 -+	file_len = win_size - 45;
 - 	if (file_len > 0) {
 - 		buf[0] = '\r';
 - 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
 +-	if (win_size > 36) {
 ++	if (win_size > 45) {
 +-		int file_len = win_size - 36;
 ++		int file_len = win_size - 45;
 + 		snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
 + 		    file_len, file);
 + 	}
 @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
  	    (off_t)bytes_per_second);
  	strlcat(buf, "/s ", win_size);
@@ -63,15 +65,3 @@
  }
  /*ARGSUSED*/
 -diff --git a/ssh-keygen.c b/ssh-keygen.c
 -index cfb5f115..986ff59b 100644
 ---- a/ssh-keygen.c
 -+++ b/ssh-keygen.c
 -@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
 - 
 - 	if (skprovider == NULL)
 - 		fatal("Cannot download keys without provider");
 --
 - 	pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
 - 	if (!quiet) {
 - 		printf("You may need to touch your authenticator "
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch
@ -1,198 +0,0 @@
 diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
 --- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-08-20 11:49:32.351767063 -0700
 +++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff	2021-08-20 11:58:08.746214945 -0700
@@ -1026,9 +1026,9 @@
 +	}
 +#endif
 +
 - 	debug("Authentication succeeded (%s).", authctxt.method->name);
 - }
 - 
 + 	if (ssh_packet_connection_is_on_socket(ssh)) {
 + 		verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
 + 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
 diff --git a/sshd.c b/sshd.c
 index 6277e6d6..bf3d6e4a 100644
 --- a/sshd.c
 diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
 --- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-08-20 11:49:32.351767063 -0700
 +++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-08-20 12:04:45.008038085 -0700
@@ -536,18 +536,10 @@
  	if (state->rekey_limit)
  		*max_blocks = MINIMUM(*max_blocks,
  		    state->rekey_limit / enc->block_size);
 -@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
 +@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
  	return 0;
  }
 -+/* this supports the forced rekeying required for the NONE cipher */
 -+int rekey_requested = 0;
 -+void
 -+packet_request_rekeying(void)
 -+{
 -+	rekey_requested = 1;
 -+}
 -+
 +/* used to determine if pre or post auth when rekeying for aes-ctr
 + * and none cipher switch */
 +int
@@ -561,20 +553,6 @@
  #define MAX_PACKETS	(1U<<31)
  static int
  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
 -@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
 - 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
 - 		return 0;
 - 
 -+	/* used to force rekeying when called for by the none
 -+         * cipher switch methods -cjr */
 -+        if (rekey_requested == 1) {
 -+                rekey_requested = 0;
 -+                return 1;
 -+        }
 -+
 - 	/* Time-based rekeying */
 - 	if (state->rekey_interval != 0 &&
 - 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
 @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
  	struct session_state *state = ssh->state;
  	int len, r, ms_remain;
@@ -598,12 +576,11 @@
  };
  typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
 -@@ -155,6 +158,10 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
 +@@ -155,6 +158,9 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);
  int	 ssh_packet_set_maxsize(struct ssh *, u_int);
  u_int	 ssh_packet_get_maxsize(struct ssh *);
 +/* for forced packet rekeying post auth */
 -+void	 packet_request_rekeying(void);
 +int	 packet_authentication_state(const struct ssh *);
 +
  int	 ssh_packet_get_state(struct ssh *, struct sshbuf *);
@@ -627,9 +604,9 @@
  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
 +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
 +	oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
 + 	oDisableMTAES,
  	oVisualHostKey,
  	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
 - 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
 @@ -297,6 +300,9 @@ static struct {
  	{ "kexalgorithms", oKexAlgorithms },
  	{ "ipqos", oIPQoS },
@@ -637,9 +614,9 @@
 +	{ "noneenabled", oNoneEnabled },
 +	{ "nonemacenabled", oNoneMacEnabled },
 +	{ "noneswitch", oNoneSwitch },
 - 	{ "proxyusefdpass", oProxyUseFdpass },
 - 	{ "canonicaldomains", oCanonicalDomains },
 - 	{ "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
 + 	{ "sessiontype", oSessionType },
 + 	{ "stdinnull", oStdinNull },
 + 	{ "forkafterauthentication", oForkAfterAuthentication },
 @@ -317,6 +323,11 @@ static struct {
  	{ "securitykeyprovider", oSecurityKeyProvider },
  	{ "knownhostscommand", oKnownHostsCommand },
@@ -717,9 +694,9 @@
 +	options->hpn_buffer_size = -1;
 +	options->tcp_rcv_buf_poll = -1;
 +	options->tcp_rcv_buf = -1;
 - 	options->proxy_use_fdpass = -1;
 - 	options->ignored_unknown = NULL;
 - 	options->num_canonical_domains = 0;
 + 	options->session_type = -1;
 + 	options->stdin_null = -1;
 + 	options->fork_after_authentication = -1;
 @@ -2426,6 +2484,41 @@ fill_default_options(Options * options)
  		options->server_alive_interval = 0;
  	if (options->server_alive_count_max == -1)
@@ -778,9 +755,9 @@
  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
  	SyslogFacility log_facility;	/* Facility for system logging. */
 @@ -120,7 +124,11 @@ typedef struct {
 - 
  	int	enable_ssh_keysign;
  	int64_t rekey_limit;
 + 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
 +	int     none_switch;    /* Use none cipher */
 +	int     none_enabled;   /* Allow none cipher to be used */
 +  	int     nonemac_enabled;   /* Allow none MAC to be used */
@@ -842,9 +819,9 @@
  	/* Portable-specific options */
  	if (options->use_pam == -1)
 @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
 - 	}
 - 	if (options->permit_tun == -1)
  		options->permit_tun = SSH_TUNMODE_NO;
 + 	if (options->disable_multithreaded == -1)
 + 		options->disable_multithreaded = 0;
 +	if (options->none_enabled == -1)
 +		options->none_enabled = 0;
 +	if (options->nonemac_enabled == -1)
@@ -1047,17 +1024,17 @@
  Note that
 diff --git a/sftp.c b/sftp.c
 index fb3c08d1..89bebbb2 100644
 ---- a/sftp.c
 -+++ b/sftp.c
 -@@ -71,7 +71,7 @@ typedef void EditLine;
 - #include "sftp-client.h"
 - 
 - #define DEFAULT_COPY_BUFLEN	32768	/* Size of buffer for up/download */
 --#define DEFAULT_NUM_REQUESTS	64	/* # concurrent outstanding requests */
 -+#define DEFAULT_NUM_REQUESTS	256	/* # concurrent outstanding requests */
 +--- a/sftp-client.c
 ++++ b/sftp-client.c
 +@@ -65,7 +65,7 @@ typedef void EditLine;
 + #define DEFAULT_COPY_BUFLEN	32768
 + 
 + /* Default number of concurrent outstanding requests */
 +-#define DEFAULT_NUM_REQUESTS	64
 ++#define DEFAULT_NUM_REQUESTS	256
 - /* File to read commands from */
 - FILE* infile;
 + /* Minimum amount of data to read at a time */
 + #define MIN_READ_SIZE	512
 diff --git a/ssh-keygen.c b/ssh-keygen.c
 index cfb5f115..36a6e519 100644
 --- a/ssh-keygen.c
@@ -1330,9 +1307,9 @@
 +		}
 +	}
 +
 - 	debug("Authentication succeeded (%s).", authctxt.method->name);
 - }
 + #ifdef WITH_OPENSSL
 + 	if (options.disable_multithreaded == 0) {
 diff --git a/sshd.c b/sshd.c
 index 6277e6d6..d66fa41a 100644
 --- a/sshd.c
@@ -1359,8 +1336,8 @@
  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
  			error("Bind to port %s on %s failed: %.200s.",
 @@ -1727,6 +1734,19 @@ main(int ac, char **av)
 - 	/* Fill in default values for those options not explicitly set. */
 - 	fill_default_server_options(&options);
 + 		fatal("AuthorizedPrincipalsCommand set without "
 + 		    "AuthorizedPrincipalsCommandUser");
 +	if (options.none_enabled == 1) {
 +		char *old_ciphers = options.ciphers;
@@ -1375,9 +1352,9 @@
 +		}
 +	}
 +
 - 	/* challenge-response is implemented via keyboard interactive */
 - 	if (options.challenge_response_authentication)
 - 		options.kbd_interactive_authentication = 1;
 + 	/*
 + 	 * Check whether there is any path through configured auth methods.
 + 	 * Unfortunately it is not possible to verify this generally before
 @@ -2166,6 +2186,9 @@ main(int ac, char **av)
  	    rdomain == NULL ? "" : "\"");
  	free(laddr);
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
@ -1,63 +0,0 @@
 diff -ur '--exclude=.*.un~' a/openssh-8.8p1+x509-13.2.3.diff b/openssh-8.8p1+x509-13.2.3.diff
 --- a/openssh-8.8p1+x509-13.2.3.diff	2021-10-29 14:59:17.070546984 -0700
 +++ b/openssh-8.8p1+x509-13.2.3.diff	2021-10-29 14:59:55.086664489 -0700
@@ -954,15 +954,16 @@
  	char b[512];
 -	size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
 -	u_char *hash = xmalloc(len);
 +-	double delay;
 +	int digest_alg;
 +	size_t len;
 +	u_char *hash;
 - 	double delay;
 - 
 ++	double delay = 0;
 ++
 +	digest_alg = ssh_digest_maxbytes();
 +	len = ssh_digest_bytes(digest_alg);
 +	hash = xmalloc(len);
 -+
 +
  	(void)snprintf(b, sizeof b, "%llu%s",
  	    (unsigned long long)options.timing_secret, user);
 -	if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
@@ -51859,12 +51860,11 @@
  install-files:
  	$(MKDIR_P) $(DESTDIR)$(bindir)
 -@@ -391,6 +372,8 @@
 +@@ -391,6 +372,7 @@
  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
 +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
 -+	$(MKDIR_P) $(DESTDIR)$(piddir)
  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
@@ -71985,7 +71985,7 @@
 +if test "$sshd_type" = "pkix" ; then
 +  unset_arg=''
 +else
 -+  unset_arg=none
 ++  unset_arg=
 +fi
 +
  cat > $OBJ/sshd_config.i << _EOF
@@ -132360,16 +132360,6 @@
 +int	 asnmprintf(char **, size_t, int *, const char *, ...)
  	    __attribute__((format(printf, 4, 5)));
  void	 msetlocale(void);
 -diff -ruN openssh-8.8p1/version.h openssh-8.8p1+x509-13.2.3/version.h
 ---- openssh-8.8p1/version.h	2021-09-26 17:03:19.000000000 +0300
 -+++ openssh-8.8p1+x509-13.2.3/version.h	2021-10-23 16:27:00.000000000 +0300
 -@@ -2,5 +2,4 @@
 - 
 - #define SSH_VERSION	"OpenSSH_8.8"
 - 
 --#define SSH_PORTABLE	"p1"
 --#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
 -+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
 diff -ruN openssh-8.8p1/version.m4 openssh-8.8p1+x509-13.2.3/version.m4
 --- openssh-8.8p1/version.m4	1970-01-01 02:00:00.000000000 +0200
 +++ openssh-8.8p1+x509-13.2.3/version.m4	2021-10-23 16:27:00.000000000 +0300
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch
@ -0,0 +1,14 @@
 diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
 index 2e065ba3..4ce80cb2 100644
 --- a/sandbox-seccomp-filter.c
 +++ b/sandbox-seccomp-filter.c
@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_ppoll
 	SC_ALLOW(__NR_ppoll),
 #endif
 +#ifdef __NR_ppoll_time64
 +	SC_ALLOW(__NR_ppoll_time64),
 +#endif
 #ifdef __NR_poll
 	SC_ALLOW(__NR_poll),
 #endif
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
@ -0,0 +1,13 @@
 diff --git a/gss-serv.c b/gss-serv.c
 index b5d4bb2d..00e3d118 100644
 --- a/gss-serv.c
 +++ b/gss-serv.c
@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
 		gss_create_empty_oid_set(&status, &oidset);
 		gss_add_oid_set_member(&status, ctx->oid, &oidset);
 -		if (gethostname(lname, MAXHOSTNAMELEN)) {
 +		if (gethostname(lname, HOST_NAME_MAX)) {
 			gss_release_oid_set(&status, &oidset);
 			return (-1);
 		}
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.4.1.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.4.1.patch
@ -0,0 +1,54 @@
 diff -ur '--exclude=.*.un~' a/openssh-9.0p1+x509-13.4.1.diff b/openssh-9.0p1+x509-13.4.1.diff
 --- a/openssh-9.0p1+x509-13.4.1.diff	2022-06-23 10:43:33.957093896 -0700
 +++ b/openssh-9.0p1+x509-13.4.1.diff	2022-06-23 10:44:17.232396805 -0700
@@ -48941,8 +48941,8 @@
  		gss_create_empty_oid_set(&status, &oidset);
  		gss_add_oid_set_member(&status, ctx->oid, &oidset);
 --		if (gethostname(lname, MAXHOSTNAMELEN)) {
 -+		if (gethostname(lname, MAXHOSTNAMELEN) == -1) {
 +-		if (gethostname(lname, HOST_NAME_MAX)) {
 ++		if (gethostname(lname, HOST_NAME_MAX) == -1) {
  			gss_release_oid_set(&status, &oidset);
  			return (-1);
  		}
@@ -57102,12 +57102,11 @@
  install-files:
  	$(MKDIR_P) $(DESTDIR)$(bindir)
 -@@ -395,6 +372,8 @@
 +@@ -395,6 +372,7 @@
  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
 +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
 -+	$(MKDIR_P) $(DESTDIR)$(piddir)
  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
@@ -78638,7 +78637,7 @@
 +if test "$sshd_type" = "pkix" ; then
 +  unset_arg=''
 +else
 -+  unset_arg=none
 ++  unset_arg=''
 +fi
 +
  cat > $OBJ/sshd_config.i << _EOF
@@ -143777,16 +143776,6 @@
 +int	 asnmprintf(char **, size_t, int *, const char *, ...)
  	    __attribute__((format(printf, 4, 5)));
  void	 msetlocale(void);
 -diff -ruN openssh-9.0p1/version.h openssh-9.0p1+x509-13.4.1/version.h
 ---- openssh-9.0p1/version.h	2022-04-06 03:47:48.000000000 +0300
 -+++ openssh-9.0p1+x509-13.4.1/version.h	2022-06-23 09:07:00.000000000 +0300
 -@@ -2,5 +2,4 @@
 - 
 - #define SSH_VERSION	"OpenSSH_9.0"
 - 
 --#define SSH_PORTABLE	"p1"
 --#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
 -+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
 diff -ruN openssh-9.0p1/version.m4 openssh-9.0p1+x509-13.4.1/version.m4
 --- openssh-9.0p1/version.m4	1970-01-01 02:00:00.000000000 +0200
 +++ openssh-9.0p1+x509-13.4.1/version.m4	2022-06-23 09:07:00.000000000 +0300
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.1_p1-build-tests.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.1_p1-build-tests.patch
@ -0,0 +1,13 @@
 diff --git a/openbsd-compat/regress/Makefile.in b/openbsd-compat/regress/Makefile.in
 index dd8cdc4b7..c446f0aa2 100644
 --- a/openbsd-compat/regress/Makefile.in
 +++ b/openbsd-compat/regress/Makefile.in
@@ -10,7 +10,7 @@ CFLAGS=@CFLAGS@
 CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. -I$(srcdir)/../.. @CPPFLAGS@ @DEFS@
 EXEEXT=@EXEEXT@
 LIBCOMPAT=../libopenbsd-compat.a
 -LIBS=@LIBS@
 +LIBS=@LIBS@ -lssl -lcrypto
 LDFLAGS=@LDFLAGS@ $(LIBCOMPAT)
 TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.confd
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.confd
@ -0,0 +1,33 @@
 # /etc/conf.d/sshd: config file for /etc/init.d/sshd
 # Where is your sshd_config file stored?
 SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh"
 # Any random options you want to pass to sshd.
 # See the sshd(8) manpage for more info.
 SSHD_OPTS=""
 # Wait one second (length chosen arbitrarily) to see if sshd actually
 # creates a PID file, or if it crashes for some reason like not being
 # able to bind to the address in ListenAddress.
 #SSHD_SSD_OPTS="--wait 1000"
 # Pid file to use (needs to be absolute path).
 #SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid"
 # Path to the sshd binary (needs to be absolute path).
 #SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd"
 # Path to the ssh-keygen binary (needs to be absolute path).
 #SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen"
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.initd
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r1.initd
@ -1,5 +1,5 @@
 #!/sbin/openrc-run
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2019 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 extra_commands="checkconfig"
@ -72,23 +72,10 @@ start_pre() {
 }
 stop_pre() {
 	if [ "${RC_CMD}" = "restart" ] ; then
 	# If this is a restart, check to make sure the user's config
 	# isn't busted before we stop the running daemon.
 	if [ "${RC_CMD}" = "restart" ] ; then
 		checkconfig || return $?
 	elif yesno "${RC_GOINGDOWN}" && [ -s "${pidfile}" ] && hash pgrep 2>/dev/null ; then
 		# Disconnect any clients before killing the master process
 		local pid=$(cat "${pidfile}" 2>/dev/null)
 		if [ -n "${pid}" ] ; then
 			local ssh_session_pattern='sshd: \S.*@pts/[0-9]+'
 			IFS="${IFS}@"
 			local daemon pid pty user
 			pgrep -a -P ${pid} -f "$ssh_session_pattern" | while read pid daemon user pty ; do
 				ewarn "Found ${daemon%:} session ${pid} on ${pty}; sending SIGTERM ..."
 				kill "${pid}" || true
 			done
 		fi
 	fi
 }
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket
@ -5,7 +5,6 @@ Conflicts=sshd.service
 [Socket]
 ListenStream=22
 Accept=yes
 TriggerLimitBurst=0
 [Install]
 WantedBy=sockets.target
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml
@ -20,7 +20,6 @@ the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign,
 ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
 	</longdescription>
 	<use>
    <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
 		<flag name="scp">Enable scp command with known security problems. See bug 733802</flag>
 		<flag name="hpn">Enable high performance ssh</flag>
 		<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
@ -32,6 +31,7 @@ ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and
 	</use>
 	<upstream>
 		<remote-id type="cpe">cpe:/a:openbsd:openssh</remote-id>
 		<remote-id type="github">openssh/openssh-portable</remote-id>
 		<remote-id type="sourceforge">hpnssh</remote-id>
 	</upstream>
 </pkgmetadata>
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.8_p1-r3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.8_p1-r3.ebuild
@ -1,9 +1,9 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI=7
-inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
+inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
 # Make it more portable between straight releases
 # and _p? releases.
@ -19,24 +19,39 @@ HPN_PATCHES=(
 	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
 	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
 )
 HPN_GLUE_PATCH="${PN}-9.1_p1-hpn-${HPN_VER}-glue.patch"
-SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
+SCTP_VER="1.2"
-X509_VER="13.2.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
 X509_VER="13.5"
 X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
 X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch"
 X509_HPN_GLUE_PATCH="${PN}-9.1_p1-hpn-${HPN_VER}-X509-glue.patch"
 DESCRIPTION="Port of OpenBSD's free SSH release"
 HOMEPAGE="https://www.openssh.com/"
 SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
 	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
-	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
+	${HPN_VER:+hpn? (
-	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+		$(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}")
 		https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz
 	)}
 	${X509_PATCH:+X509? (
 		https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH}
 		https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_GLUE_PATCH}.xz
 		${HPN_VER:+hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_HPN_GLUE_PATCH}.xz )}
 	)}
 	verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
 "
 VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
 S="${WORKDIR}/${PARCH}"
 LICENSE="BSD GPL-2"
 SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
+IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
 RESTRICT="!test? ( test )"
@ -53,11 +68,13 @@ REQUIRED_USE="
 # tests currently fail with XMSS
 REQUIRED_USE+="test? ( !xmss )"
 # Blocker on older gcc-config for bug #872416
 LIB_DEPEND="
 	!<sys-devel/gcc-config-2.6
 	audit? ( sys-process/audit[static-libs(+)] )
 	ldns? (
 		net-libs/ldns[static-libs(+)]
-		net-libs/ldns[ecdsa,ssl(+)]
+		net-libs/ldns[ecdsa(+),ssl(+)]
 	)
 	libedit? ( dev-libs/libedit:=[static-libs(+)] )
 	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
@ -81,27 +98,45 @@ DEPEND="${RDEPEND}
 "
 RDEPEND="${RDEPEND}
 	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
+	!prefix? ( sys-apps/shadow )
 	X? ( x11-apps/xauth )
 "
 # Weird dep construct for newer gcc-config for bug #872416
 BDEPEND="
 	virtual/pkgconfig
 	sys-devel/autoconf
 	virtual/pkgconfig
 	|| (
 		>=sys-devel/gcc-config-2.6
 		>=sys-devel/clang-toolchain-symlinks-14-r1:14
 		>=sys-devel/clang-toolchain-symlinks-15-r1:15
 		>=sys-devel/clang-toolchain-symlinks-16-r1:*
 	)
 	verify-sig? ( sec-keys/openpgp-keys-openssh )
 "
 PATCHES=(
 	"${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch"
 	"${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
 	"${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch"
 	"${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch"
 	"${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch"
 	"${FILESDIR}/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
 	"${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019
 	"${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
 	"${FILESDIR}/${PN}-9.1_p1-build-tests.patch"
 )
 pkg_pretend() {
 	# this sucks, but i'd rather have people unable to `emerge -u openssh`
 	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local missing=()
-	local fail="
+	check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
-		$(use hpn && maybe_fail hpn HPN_VER)
+	check_feature hpn HPN_VER
-		$(use sctp && maybe_fail sctp SCTP_PATCH)
+	check_feature sctp SCTP_PATCH
-		$(use X509 && maybe_fail X509 X509_PATCH)
+	check_feature X509 X509_PATCH
-	"
+	if [[ ${#missing[@]} -ne 0 ]] ; then
 	fail=$(echo ${fail})
 	if [[ -n ${fail} ]] ; then
 		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
+		eerror "that you requested: ${missing[*]}"
 		eerror "Please mask ${PF} for now and check back later:"
 		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
 		die "Missing requested third party patch."
@ -114,6 +149,13 @@ pkg_pretend() {
 	fi
 }
 src_unpack() {
 	default
 	# We don't have signatures for HPN, X509, so we have to write this ourselves
 	use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
 }
 src_prepare() {
 	sed -i \
 		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
@ -122,12 +164,7 @@ src_prepare() {
 	# don't break .ssh/authorized_keys2 for fun
 	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
+	eapply "${PATCHES[@]}"
 	eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
 	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
 	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
 	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
 	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
 	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
@ -135,10 +172,11 @@ src_prepare() {
 	if use X509 ; then
 		pushd "${WORKDIR}" &>/dev/null || die
-		eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
+		eapply "${WORKDIR}/${X509_GLUE_PATCH}"
 		popd &>/dev/null || die
 		eapply "${WORKDIR}"/${X509_PATCH%.*}
 		eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
 		# We need to patch package version or any X.509 sshd will reject our ssh client
 		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
@ -175,8 +213,8 @@ src_prepare() {
 		mkdir "${hpn_patchdir}" || die
 		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
 		pushd "${hpn_patchdir}" &>/dev/null || die
-		eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-glue.patch
+		eapply "${WORKDIR}/${HPN_GLUE_PATCH}"
-		use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch
+		use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}"
 		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
 		popd &>/dev/null || die
@ -295,14 +333,13 @@ src_configure() {
 		# We apply the sctp patch conditionally, so can't pass --without-sctp
 		# unconditionally else we get unknown flag warnings.
 		$(use sctp && use_with sctp)
-		$(use_with ldns ldns "${EPREFIX}"/usr)
+		$(use_with ldns)
 		$(use_with libedit)
 		$(use_with pam)
 		$(use_with pie)
 		$(use_with selinux)
 		$(usex X509 '' "$(use_with security-key security-key-builtin)")
 		$(use_with ssl openssl)
 		$(use_with ssl md5-passwords)
 		$(use_with ssl ssl-engine)
 		$(use_with !elibc_Cygwin hardening) #659210
 	)
@ -313,41 +350,27 @@ src_configure() {
 		myconf+=( --disable-utmp --disable-wtmp )
 	fi
-	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	# Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all
-	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
+	# bug #869839 (https://github.com/llvm/llvm-project/issues/57692)
 	tc-is-clang && myconf+=( --without-hardening )
 	econf "${myconf[@]}"
 }
 src_test() {
-	local t skipped=() failed=() passed=()
+	local tests=( compat-tests )
 	local tests=( interop-tests compat-tests )
 	local shell=$(egetshell "${UID}")
 	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
+		ewarn "user, so we will run a subset only."
-		skipped+=( tests )
+		tests+=( interop-tests )
 	else
 		tests+=( tests )
 	fi
-	# It will also attempt to write to the homedir .ssh.
+	local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
-	local sshhome=${T}/homedir
+	mkdir -p "${HOME}"/.ssh || die
-	mkdir -p "${sshhome}"/.ssh
+	emake -j1 "${tests[@]}" </dev/null
 	for t in "${tests[@]}" ; do
 		# Some tests read from stdin ...
 		HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
 			SUDO="" SSH_SK_PROVIDER="" \
 			TEST_SSH_UNSAFE_PERMISSIONS=1 \
 			emake -k -j1 ${t} </dev/null \
 				&& passed+=( "${t}" ) \
 				|| failed+=( "${t}" )
 	done
 	einfo "Passed tests: ${passed[*]}"
 	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
 	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
 }
 # Gentoo tweaks to default config files.
@ -402,6 +425,8 @@ src_install() {
 	emake install-nokeys DESTDIR="${D}"
 	fperms 600 /etc/ssh/sshd_config
 	dobin contrib/ssh-copy-id
 	newinitd "${FILESDIR}"/sshd-r1.initd sshd
 	newconfd "${FILESDIR}"/sshd-r1.confd sshd
 	if use pam; then
 		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
@ -416,13 +441,6 @@ src_install() {
 	diropts -m 0700
 	dodir /etc/skel/.ssh
 	# https://bugs.gentoo.org/733802
 	if ! use scp; then
 		rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
 			|| die "failed to remove scp"
 	fi
 	rmdir "${ED}"/var/empty || die
 	systemd_dounit "${FILESDIR}"/sshd.{service,socket}