Ports: Update openssh to 9.0

2024-07-22 10:36:24 +00:00 · 2022-04-30 10:58:10 +00:00 · 2022-04-30 10:58:10 +00:00 · 7b76bc2b49
parent 6020364476
commit 7b76bc2b49
8 changed files with 129 additions and 127 deletions
--- a/Ports/AvailablePorts.md
+++ b/Ports/AvailablePorts.md
@ -153,7 +153,7 @@ Please make sure to keep this list up to date when adding and updating ports. :^
 | [`npth`](npth/)                        | New GNU Portable Threads Library                                | 1.6                      | https://gnupg.org/software/npth/index.html                                     |
 | [`ntbtls`](ntbtls/)                    | The Not Too Bad TLS Library                                     | 0.2.0                    | https://gnupg.org/software/ntbtls/index.html                                   |
 | [`nyancat`](nyancat/)                  | Nyancat                                                         |                          | https://github.com/klange/nyancat                                              |
-| [`openssh`](openssh/)                  | OpenSSH                                                         | 8.3-9ca7e9c              | https://github.com/openssh/openssh-portable                                    |
+| [`openssh`](openssh/)                  | OpenSSH                                                         | 9.0-94eb685              | https://github.com/openssh/openssh-portable                                    |
 | [`openssl`](openssl/)                  | OpenSSL                                                         | 1.1.1n                   | https://www.openssl.org/                                                       |
 | [`openttd`](openttd/)                  | OpenTTD                                                         | 12.2                     | https://www.openttd.org/                                                       |
 | [`openttd-opengfx`](openttd-opengfx/)  | OpenGFX graphics for OpenTTD                                    | 7.1                      | https://www.openttd.org/                                                       |
--- a/Ports/openssh/package.sh
+++ b/Ports/openssh/package.sh
@ -1,8 +1,8 @@
 #!/usr/bin/env -S bash ../.port_include.sh
 port=openssh
-workdir=openssh-portable-9ca7e9c861775dd6c6312bc8aaab687403d24676
-version=8.3-9ca7e9c
-files="https://github.com/openssh/openssh-portable/archive/9ca7e9c861775dd6c6312bc8aaab687403d24676.tar.gz openssh-8.3-9ca7e9c.tar.gz 78e3051cd76e505b1c9ea4fdcc108f47c64d4db058dad4f776908ed0229f6234"
+workdir=openssh-portable-94eb6858efecc1b4f02d8a6bd35e149f55c814c8
+version=9.0-94eb685
+files="https://github.com/openssh/openssh-portable/archive/94eb6858efecc1b4f02d8a6bd35e149f55c814c8.tar.gz openssh-9.0-94eb685.tar.gz 8a6bfb4c21d32f4e82d6d7734cd68585337cdd57428a2799295e1b1e72c332b5"
 auth_type=sha256
 depends=("zlib" "openssl")
 useconfigure=true
--- a/Ports/openssh/patches/missing_functionality.patch
+++ b/Ports/openssh/patches/missing_functionality.patch
@ -1,9 +1,9 @@
-08ba07f3ef1eb9cc40204cda0af3886ee071fd47 Ifdef out unimplemented functionality
+Ifdef out unimplemented functionality
 diff --git a/atomicio.c b/atomicio.c
-index e00c9f0d..e51a9999 100644
+index 7650733..7a195f5 100644
 --- a/atomicio.c
 +++ b/atomicio.c
-@@ -120,7 +120,7 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd,
+@@ -119,7 +119,7 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd,
 	memcpy(iov, _iov, (size_t)iovcnt * sizeof(*_iov));
 
 	pfd.fd = fd;
@ -13,7 +13,7 @@ index e00c9f0d..e51a9999 100644
 #else
 	pfd.events = POLLIN|POLLOUT;
 diff --git a/defines.h b/defines.h
-index b8ea88b2..1089ee18 100644
+index 279e509..5fb970a 100644
 --- a/defines.h
 +++ b/defines.h
@@ -55,8 +55,13 @@ enum
@ -31,7 +31,7 @@ index b8ea88b2..1089ee18 100644
 # define IPTOS_LOWDELAY          0x10
 # define IPTOS_THROUGHPUT        0x08
 diff --git a/dns.c b/dns.c
-index e4f9bf83..779886fa 100644
+index f2310be..f39db58 100644
 --- a/dns.c
 +++ b/dns.c
@@ -25,6 +25,8 @@
@ -43,14 +43,14 @@ index e4f9bf83..779886fa 100644
 #include "includes.h"
 
 #include <sys/types.h>
-@@ -353,3 +355,5 @@ export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic)
+@@ -338,3 +340,5 @@ export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic)
 
 	return success;
 }
 +
 +#endif
 diff --git a/dns.h b/dns.h
-index 91f3c632..0de0a81b 100644
+index c9b61c4..2b9f153 100644
 --- a/dns.h
 +++ b/dns.h
@@ -25,6 +25,8 @@
@ -62,14 +62,14 @@ index 91f3c632..0de0a81b 100644
 #ifndef DNS_H
 #define DNS_H
 
-@@ -56,3 +58,5 @@ int	verify_host_key_dns(const char *, struct sockaddr *,
+@@ -57,3 +59,5 @@ int	verify_host_key_dns(const char *, struct sockaddr *,
 int	export_dns_rr(const char *, struct sshkey *, FILE *, int);
 
 #endif /* DNS_H */
 +
 +#endif
 diff --git a/hostfile.c b/hostfile.c
-index a4a35597..699d7f2c 100644
+index bd49e3a..34030f1 100644
 --- a/hostfile.c
 +++ b/hostfile.c
@@ -44,7 +44,9 @@
@ -83,10 +83,10 @@ index a4a35597..699d7f2c 100644
 #include <stdio.h>
 #include <stdlib.h>
 diff --git a/includes.h b/includes.h
-index 0fd71792..405d3aa2 100644
+index 6d17ef6..eef913a 100644
 --- a/includes.h
 +++ b/includes.h
-@@ -110,7 +110,9 @@
+@@ -109,7 +109,9 @@
 #endif
 
 #include <netinet/in.h>
@ -97,10 +97,10 @@ index 0fd71792..405d3aa2 100644
 # include <rpc/types.h> /* For INADDR_LOOPBACK */
 #endif
 diff --git a/loginrec.c b/loginrec.c
-index e5289deb..c670f0be 100644
+index 4f21499..574e3a1 100644
 --- a/loginrec.c
 +++ b/loginrec.c
-@@ -460,7 +460,7 @@ login_write(struct logininfo *li)
+@@ -461,7 +461,7 @@ login_write(struct logininfo *li)
 #ifdef USE_WTMP
 	wtmp_write_entry(li);
 #endif
@ -109,7 +109,7 @@ index e5289deb..c670f0be 100644
 	utmpx_write_entry(li);
 #endif
 #ifdef USE_WTMPX
-@@ -493,7 +493,7 @@ login_utmp_only(struct logininfo *li)
+@@ -494,7 +494,7 @@ login_utmp_only(struct logininfo *li)
 # ifdef USE_WTMP
 	wtmp_write_entry(li);
 # endif
@ -118,7 +118,7 @@ index e5289deb..c670f0be 100644
 	utmpx_write_entry(li);
 # endif
 # ifdef USE_WTMPX
-@@ -724,7 +724,7 @@ construct_utmp(struct logininfo *li,
+@@ -725,7 +725,7 @@ construct_utmp(struct logininfo *li,
  ** variations.
  **/
 
@ -127,7 +127,7 @@ index e5289deb..c670f0be 100644
 /* build the utmpx structure */
 void
 set_utmpx_time(struct logininfo *li, struct utmpx *utx)
-@@ -983,7 +983,7 @@ utmp_write_entry(struct logininfo *li)
+@@ -987,7 +987,7 @@ utmp_write_entry(struct logininfo *li)
  **/
 
 /* not much point if we don't want utmpx entries */
@ -137,10 +137,10 @@ index e5289deb..c670f0be 100644
 /* if we have the wherewithall, use pututxline etc. */
 # if !defined(DISABLE_PUTUTXLINE) && defined(HAVE_SETUTXENT) && \
 diff --git a/misc.c b/misc.c
-index 554ceb0b..67464ef2 100644
+index 85d2236..bc06094 100644
 --- a/misc.c
 +++ b/misc.c
-@@ -50,7 +50,9 @@
+@@ -44,7 +44,9 @@
 #include <unistd.h>
 
 #include <netinet/in.h>
@ -151,7 +151,7 @@ index 554ceb0b..67464ef2 100644
 #include <netinet/tcp.h>
 #include <arpa/inet.h>
 diff --git a/openbsd-compat/getrrsetbyname-ldns.c b/openbsd-compat/getrrsetbyname-ldns.c
-index 4647b623..d684f6fb 100644
+index 4647b62..d684f6f 100644
 --- a/openbsd-compat/getrrsetbyname-ldns.c
 +++ b/openbsd-compat/getrrsetbyname-ldns.c
@@ -43,6 +43,8 @@
@ -170,7 +170,7 @@ index 4647b623..d684f6fb 100644
 +
 +#endif
 diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
-index dc6fe053..9e7fefd0 100644
+index cc1f8ae..57999ed 100644
 --- a/openbsd-compat/getrrsetbyname.c
 +++ b/openbsd-compat/getrrsetbyname.c
@@ -45,6 +45,8 @@
@ -182,14 +182,14 @@ index dc6fe053..9e7fefd0 100644
 #include "includes.h"
 
 #if !defined (HAVE_GETRRSETBYNAME) && !defined (HAVE_LDNS)
-@@ -608,3 +610,5 @@ count_dns_rr(struct dns_rr *p, u_int16_t class, u_int16_t type)
+@@ -607,3 +609,5 @@ count_dns_rr(struct dns_rr *p, u_int16_t class, u_int16_t type)
 }
 
 #endif /*  !defined (HAVE_GETRRSETBYNAME) && !defined (HAVE_LDNS) */
 +
 +#endif
 diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
-index 1283f550..0b33705e 100644
+index 1283f55..0b33705 100644
 --- a/openbsd-compat/getrrsetbyname.h
 +++ b/openbsd-compat/getrrsetbyname.h
@@ -45,6 +45,8 @@
@ -208,20 +208,20 @@ index 1283f550..0b33705e 100644
 +
 +#endif
 diff --git a/openbsd-compat/mktemp.c b/openbsd-compat/mktemp.c
-index 4eb52f42..50e1bb12 100644
+index ac922c1..1ebb975 100644
 --- a/openbsd-compat/mktemp.c
 +++ b/openbsd-compat/mktemp.c
@@ -34,7 +34,7 @@
 #include <ctype.h>
 #include <unistd.h>
 
-#if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP)
-+#if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP) && !defined(__serenity__)
+-#if !defined(HAVE_MKDTEMP)
+#if !defined(HAVE_MKDTEMP) || !defined(__serenity__)
 
 #define MKTEMP_NAME	0
 #define MKTEMP_FILE	1
 diff --git a/readconf.c b/readconf.c
-index 2afcbaec..034ad492 100644
+index f26faba..56122d8 100644
 --- a/readconf.c
 +++ b/readconf.c
@@ -21,7 +21,9 @@
@ -234,7 +234,7 @@ index 2afcbaec..034ad492 100644
 #include <netinet/ip.h>
 #include <arpa/inet.h>
 
-@@ -1064,11 +1066,12 @@ parse_time:
+@@ -1134,11 +1136,12 @@ parse_time:
 	case oCheckHostIP:
 		intptr = &options->check_host_ip;
 		goto parse_flag;
@ -249,10 +249,10 @@ index 2afcbaec..034ad492 100644
 	case oStrictHostKeyChecking:
 		intptr = &options->strict_host_key_checking;
 diff --git a/regress/netcat.c b/regress/netcat.c
-index fe94dd90..57c52d3b 100644
+index 20ec3f5..55e087e 100644
 --- a/regress/netcat.c
 +++ b/regress/netcat.c
-@@ -1369,7 +1369,9 @@ usage(int ret)
+@@ -1384,7 +1384,9 @@ usage(int ret)
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
@ -263,7 +263,7 @@ index fe94dd90..57c52d3b 100644
 #define SOCKS_PORT	"1080"
 #define HTTP_PROXY_PORT	"3128"
 diff --git a/sandbox-pledge.c b/sandbox-pledge.c
-index d28fc272..a244241c 100644
+index 302f1cf..693a443 100644
 --- a/sandbox-pledge.c
 +++ b/sandbox-pledge.c
@@ -21,7 +21,9 @@
@ -277,10 +277,10 @@ index d28fc272..a244241c 100644
 #include <sys/wait.h>
 
 diff --git a/servconf.c b/servconf.c
-index ba0a92c7..02b68a9a 100644
+index 9d9681f..c418509 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -20,7 +20,9 @@
+@@ -21,7 +21,9 @@
 #endif
 
 #include <netinet/in.h>
@ -291,18 +291,18 @@ index ba0a92c7..02b68a9a 100644
 #ifdef HAVE_NET_ROUTE_H
 #include <net/route.h>
 diff --git a/ssh-add.c b/ssh-add.c
-index a40198ab..e218270b 100644
+index 7555477..ea8e27c 100644
 --- a/ssh-add.c
 +++ b/ssh-add.c
-@@ -535,6 +535,7 @@ lock_agent(int agent_fd, int lock)
+@@ -577,6 +577,7 @@ lock_agent(int agent_fd, int lock)
 	return (ret);
 }
 
 +#ifndef __serenity__
 static int
- load_resident_keys(int agent_fd, const char *skprovider, int qflag)
- {
-@@ -583,6 +584,7 @@ load_resident_keys(int agent_fd, const char *skprovider, int qflag)
+ load_resident_keys(int agent_fd, const char *skprovider, int qflag,
+     struct dest_constraint **dest_constraints, size_t ndest_constraints)
+@@ -628,6 +629,7 @@ load_resident_keys(int agent_fd, const char *skprovider, int qflag,
 		return SSH_ERR_KEY_NOT_FOUND;
 	return ok == 1 ? 0 : ok;
 }
@ -310,7 +310,7 @@ index a40198ab..e218270b 100644
 
 static int
 do_file(int agent_fd, int deleting, int key_only, char *file, int qflag,
-@@ -775,6 +777,7 @@ main(int argc, char **argv)
+@@ -964,6 +966,7 @@ main(int argc, char **argv)
 			ret = 1;
 		goto done;
 	}
@ -318,7 +318,7 @@ index a40198ab..e218270b 100644
 	if (do_download) {
 		if (skprovider == NULL)
 			fatal("Cannot download keys without provider");
-@@ -782,6 +785,7 @@ main(int argc, char **argv)
+@@ -972,6 +975,7 @@ main(int argc, char **argv)
 			ret = 1;
 		goto done;
 	}
@ -327,10 +327,10 @@ index a40198ab..e218270b 100644
 		char buf[PATH_MAX];
 		struct passwd *pw;
 diff --git a/ssh-agent.c b/ssh-agent.c
-index e081413b..811dc115 100644
+index 03ae2b0..c1b6350 100644
 --- a/ssh-agent.c
 +++ b/ssh-agent.c
-@@ -1308,10 +1308,12 @@ main(int ac, char **av)
+@@ -2146,10 +2146,12 @@ main(int ac, char **av)
 	 * a few spare for libc / stack protectors / sanitisers, etc.
 	 */
 #define SSH_AGENT_MIN_FDS (3+1+1+1+4)
@ -344,10 +344,10 @@ index e081413b..811dc115 100644
 	parent_pid = getpid();
 
 diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 2c5c75db..85e8a9e2 100644
+index d62fab3..1443c9c 100644
 --- a/ssh-keygen.c
 +++ b/ssh-keygen.c
-@@ -1464,6 +1464,7 @@ do_change_passphrase(struct passwd *pw)
+@@ -1471,6 +1471,7 @@ do_change_passphrase(struct passwd *pw)
 	exit(0);
 }
 
@ -355,7 +355,7 @@ index 2c5c75db..85e8a9e2 100644
 /*
  * Print the SSHFP RR.
  */
-@@ -1491,6 +1492,7 @@ do_print_resource_record(struct passwd *pw, char *fname, char *hname,
+@@ -1497,6 +1498,7 @@ do_print_resource_record(struct passwd *pw, char *fname, char *hname,
 	free(comment);
 	return 1;
 }
@ -363,23 +363,23 @@ index 2c5c75db..85e8a9e2 100644
 
 /*
  * Change the comment of a private key file.
-@@ -2929,6 +2931,7 @@ skip_ssh_url_preamble(const char *s)
- 	return s;
+@@ -3075,6 +3077,7 @@ sk_suffix(const char *application, const uint8_t *user, size_t userlen)
+ 	return ret;
 }
 
 +#ifndef __serenity__
 static int
 do_download_sk(const char *skprovider, const char *device)
 {
-@@ -3026,6 +3029,7 @@ do_download_sk(const char *skprovider, const char *device)
- 	free(keys);
- 	return ok ? 0 : -1;
+@@ -3185,6 +3188,7 @@ save_attestation(struct sshbuf *attest, const char *path)
+ 		printf("Your FIDO attestation certificate has been saved in "
+ 		    "%s\n", path);
 }
 +#endif
 
 static void
 usage(void)
-@@ -3437,6 +3441,7 @@ main(int argc, char **argv)
+@@ -3627,6 +3631,7 @@ main(int argc, char **argv)
 	}
 	if (pkcs11provider != NULL)
 		do_download(pw);
@ -387,7 +387,7 @@ index 2c5c75db..85e8a9e2 100644
 	if (download_sk) {
 		for (i = 0; i < nopts; i++) {
 			if (strncasecmp(opts[i], "device=", 7) == 0) {
-@@ -3448,6 +3453,7 @@ main(int argc, char **argv)
+@@ -3638,6 +3643,7 @@ main(int argc, char **argv)
 		}
 		return do_download_sk(sk_provider, sk_device);
 	}
@ -395,7 +395,7 @@ index 2c5c75db..85e8a9e2 100644
 	if (print_fingerprint || print_bubblebabble)
 		do_fingerprint(pw);
 	if (change_passphrase)
-@@ -3465,6 +3471,8 @@ main(int argc, char **argv)
+@@ -3655,6 +3661,8 @@ main(int argc, char **argv)
 #endif /* WITH_OPENSSL */
 	if (print_public)
 		do_print_public(pw);
@ -404,7 +404,7 @@ index 2c5c75db..85e8a9e2 100644
 	if (rr_hostname != NULL) {
 		unsigned int n = 0;
 
-@@ -3496,6 +3504,7 @@ main(int argc, char **argv)
+@@ -3686,6 +3694,7 @@ main(int argc, char **argv)
 			exit(0);
 		}
 	}
@ -412,7 +412,7 @@ index 2c5c75db..85e8a9e2 100644
 
 	if (do_gen_candidates || do_screen_candidates) {
 		if (argc <= 0)
-@@ -3527,6 +3536,7 @@ main(int argc, char **argv)
+@@ -3717,6 +3726,7 @@ main(int argc, char **argv)
 		printf("Generating public/private %s key pair.\n",
 		    key_type_name);
 	switch (type) {
@ -420,7 +420,7 @@ index 2c5c75db..85e8a9e2 100644
 	case KEY_ECDSA_SK:
 	case KEY_ED25519_SK:
 		for (i = 0; i < nopts; i++) {
-@@ -3593,6 +3603,7 @@ main(int argc, char **argv)
+@@ -3795,6 +3805,7 @@ main(int argc, char **argv)
 			passphrase = NULL;
 		}
 		break;
@ -429,10 +429,10 @@ index 2c5c75db..85e8a9e2 100644
 		if ((r = sshkey_generate(type, bits, &private)) != 0)
 			fatal("sshkey_generate failed");
 diff --git a/ssh-keyscan.c b/ssh-keyscan.c
-index a5e64407..c7964ae9 100644
+index d29a03b..e6aac3d 100644
 --- a/ssh-keyscan.c
 +++ b/ssh-keyscan.c
-@@ -311,7 +311,9 @@ keyprint_one(const char *host, struct sshkey *key)
+@@ -313,7 +313,9 @@ keyprint_one(const char *host, struct sshkey *key)
 	found_one = 1;
 
 	if (print_sshfp) {
@ -443,11 +443,11 @@ index a5e64407..c7964ae9 100644
 	}
 
 diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
-index 8a0ffef5..12d05317 100644
+index cfd833d..de8fb90 100644
 --- a/ssh-pkcs11-client.c
 +++ b/ssh-pkcs11-client.c
@@ -241,6 +241,7 @@ wrap_key(struct sshkey *k)
- 		fatal("%s: unknown key type", __func__);
+ 		fatal_f("unknown key type");
 }
 
 +#ifndef __serenity__
@ -467,7 +467,7 @@ index 8a0ffef5..12d05317 100644
 	struct sshbuf *msg;
 
 -	if (fd < 0 && pkcs11_start_helper() < 0)
-+	if (fd < 0 
+	if (fd < 0
 +#ifndef __serenity__
 +		&& pkcs11_start_helper() < 0
 +#endif
@ -476,7 +476,7 @@ index 8a0ffef5..12d05317 100644
 
 	if ((msg = sshbuf_new()) == NULL)
 diff --git a/ssh-sk-client.c b/ssh-sk-client.c
-index 8d7e6c30..21b3ab39 100644
+index 321fe53..984aa6a 100644
 --- a/ssh-sk-client.c
 +++ b/ssh-sk-client.c
@@ -15,6 +15,8 @@
@ -488,14 +488,14 @@ index 8d7e6c30..21b3ab39 100644
 #include "includes.h"
 
 #include <sys/types.h>
-@@ -447,3 +449,5 @@ sshsk_load_resident(const char *provider_path, const char *device,
+@@ -478,3 +480,5 @@ sshsk_load_resident(const char *provider_path, const char *device,
 	errno = oerrno;
 	return r;
 }
 +
 +#endif
 diff --git a/sshbuf-misc.c b/sshbuf-misc.c
-index 9b5aa208..20c526b1 100644
+index 9c5c42b..1759ed2 100644
 --- a/sshbuf-misc.c
 +++ b/sshbuf-misc.c
@@ -28,7 +28,9 @@
@ -506,21 +506,21 @@ index 9b5aa208..20c526b1 100644
 #include <resolv.h>
 +#endif
 #include <ctype.h>
+ #include <unistd.h>
 
- #include "ssherr.h"
 diff --git a/sshconnect.c b/sshconnect.c
-index af08be41..9e748a23 100644
+index ebecc83..81df612 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -120,6 +120,7 @@ stderr_null(void)
- 		close(devnull);
+@@ -106,6 +106,7 @@ expand_proxy_command(const char *proxy_command, const char *user,
+ 	return ret;
 }
 
 +#ifndef __serenity__
 /*
  * Connect to the given ssh server using a proxy command that passes a
  * a connected fd back to us.
-@@ -202,6 +203,7 @@ ssh_proxy_fdpass_connect(struct ssh *ssh, const char *host,
+@@ -188,6 +189,7 @@ ssh_proxy_fdpass_connect(struct ssh *ssh, const char *host,
 
 	return 0;
 }
@ -528,12 +528,12 @@ index af08be41..9e748a23 100644
 
 /*
  * Connect to the given ssh server using a proxy command.
-@@ -566,10 +568,13 @@ ssh_connect(struct ssh *ssh, const char *host, const char *host_arg,
+@@ -555,10 +557,13 @@ ssh_connect(struct ssh *ssh, const char *host, const char *host_arg,
 		if ((ssh_packet_set_connection(ssh, in, out)) == NULL)
 			return -1; /* ssh_packet_set_connection logs error */
 		return 0;
 -	} else if (options.proxy_use_fdpass) {
-+	} 
+	}
 +	#ifndef __serenity__
 +	else if (options.proxy_use_fdpass) {
 		return ssh_proxy_fdpass_connect(ssh, host, host_arg, port,
@ -543,7 +543,7 @@ index af08be41..9e748a23 100644
 	return ssh_proxy_connect(ssh, host, host_arg, port,
 	    options.proxy_command);
 }
-@@ -1218,7 +1223,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key)
+@@ -1483,7 +1488,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key,
 			goto out;
 		}
 	}
@ -552,16 +552,16 @@ index af08be41..9e748a23 100644
 	if (options.verify_host_key_dns) {
 		/*
 		 * XXX certs are not yet supported for DNS, so downgrade
-@@ -1247,6 +1252,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key)
+@@ -1512,6 +1517,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key,
 			}
 		}
 	}
 +#endif
- 	r = check_host_key(host, hostaddr, options.port, host_key, RDRW,
- 	    options.user_hostfiles, options.num_user_hostfiles,
- 	    options.system_hostfiles, options.num_system_hostfiles);
+ 	r = check_host_key(host, cinfo, hostaddr, options.port, host_key,
+ 	    RDRW, 0, options.user_hostfiles, options.num_user_hostfiles,
+ 	    options.system_hostfiles, options.num_system_hostfiles,
 diff --git a/sshkey.c b/sshkey.c
-index 1571e3d9..2b5c611c 100644
+index f1e9200..564ff40 100644
 --- a/sshkey.c
 +++ b/sshkey.c
@@ -42,7 +42,9 @@
@ -574,19 +574,19 @@ index 1571e3d9..2b5c611c 100644
 #include <time.h>
 #ifdef HAVE_UTIL_H
 #include <util.h>
-@@ -2759,6 +2761,7 @@ sshkey_sign(struct sshkey *key,
+@@ -2790,6 +2792,7 @@ sshkey_sign(struct sshkey *key,
 	case KEY_ED25519_CERT:
 		r = ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
 		break;
-+		#ifndef __serenity__
+#ifndef __serenity__
 	case KEY_ED25519_SK:
 	case KEY_ED25519_SK_CERT:
 	case KEY_ECDSA_SK_CERT:
-@@ -2766,6 +2769,7 @@ sshkey_sign(struct sshkey *key,
+@@ -2797,6 +2800,7 @@ sshkey_sign(struct sshkey *key,
 		r = sshsk_sign(sk_provider, key, sigp, lenp, data,
- 		    datalen, compat, /* XXX PIN */ NULL);
+ 		    datalen, compat, sk_pin);
 		break;
-+		#endif
+#endif
 #ifdef WITH_XMSS
 	case KEY_XMSS:
 	case KEY_XMSS_CERT:
--- a/Ports/openssh/patches/pledge.patch
+++ b/Ports/openssh/patches/pledge.patch
@ -1,50 +1,51 @@
-f524cc245e63092372d78c3d80959b589aeebcc2 Add missing sigaction pledges and remove dns
+Add missing sigaction pledges and remove dns
 diff --git a/clientloop.c b/clientloop.c
-index da396c72..3ff4ea89 100644
+index f8350e6..00bf4b6 100644
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -1239,31 +1239,31 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
+@@ -1227,31 +1227,31 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
 	if (options.control_master &&
 	    !option_clear_or_none(options.control_path)) {
 		debug("pledge: id");
 -		if (pledge("stdio rpath wpath cpath unix inet dns recvfd sendfd proc exec id tty",
 +		if (pledge("stdio rpath wpath cpath unix inet recvfd sendfd proc exec id tty sigaction",
 		    NULL) == -1)
- 			fatal("%s pledge(): %s", __func__, strerror(errno));
+ 			fatal_f("pledge(): %s", strerror(errno));
 
 	} else if (options.forward_x11 || options.permit_local_command) {
 		debug("pledge: exec");
 -		if (pledge("stdio rpath wpath cpath unix inet dns proc exec tty",
 +		if (pledge("stdio rpath wpath cpath unix inet proc exec tty sigaction",
 		    NULL) == -1)
- 			fatal("%s pledge(): %s", __func__, strerror(errno));
+ 			fatal_f("pledge(): %s", strerror(errno));
 
 	} else if (options.update_hostkeys) {
- 		debug("pledge: filesystem full");
+ 		debug("pledge: filesystem");
 -		if (pledge("stdio rpath wpath cpath unix inet dns proc tty",
 +		if (pledge("stdio rpath wpath cpath unix inet proc tty sigaction",
 		    NULL) == -1)
- 			fatal("%s pledge(): %s", __func__, strerror(errno));
+ 			fatal_f("pledge(): %s", strerror(errno));
 
 	} else if (!option_clear_or_none(options.proxy_command) ||
- 	    fork_after_authentication_flag) {
+ 	    options.fork_after_authentication) {
 		debug("pledge: proc");
 -		if (pledge("stdio cpath unix inet dns proc tty", NULL) == -1)
 +		if (pledge("stdio cpath unix inet proc tty sigaction", NULL) == -1)
- 			fatal("%s pledge(): %s", __func__, strerror(errno));
+ 			fatal_f("pledge(): %s", strerror(errno));
 
 	} else {
 		debug("pledge: network");
 -		if (pledge("stdio unix inet dns proc tty", NULL) == -1)
 +		if (pledge("stdio unix inet proc tty sigaction", NULL) == -1)
- 			fatal("%s pledge(): %s", __func__, strerror(errno));
+ 			fatal_f("pledge(): %s", strerror(errno));
 	}
 
-diff -Naur openssh-portable-9ca7e9c861775dd6c6312bc8aaab687403d24676/ssh-keysign.c openssh-portable-9ca7e9c861775dd6c6312bc8aaab687403d24676.serenity/ssh-keysign.c
--- openssh-portable-9ca7e9c861775dd6c6312bc8aaab687403d24676/ssh-keysign.c	2020-05-27 02:38:00.000000000 +0200
-+++ openssh-portable-9ca7e9c861775dd6c6312bc8aaab687403d24676.serenity/ssh-keysign.c	2021-05-18 00:09:01.831610440 +0200
-@@ -173,7 +173,7 @@
- 	char *host, *fp;
+diff --git a/ssh-keysign.c b/ssh-keysign.c
+index c52321e..9ae4dbf 100644
+--- a/ssh-keysign.c
+++ b/ssh-keysign.c
+@@ -187,7 +187,7 @@ main(int argc, char **argv)
+ 	char *host, *fp, *pkalg;
 	size_t slen, dlen;
 
 -	if (pledge("stdio rpath getpw dns id", NULL) != 0)
@ -52,12 +53,12 @@ diff -Naur openssh-portable-9ca7e9c861775dd6c6312bc8aaab687403d24676/ssh-keysign
 		fatal("%s: pledge: %s", __progname, strerror(errno));
 
 	/* Ensure that stdin and stdout are connected */
-@@ -237,7 +237,7 @@
- 	if (!found)
- 		fatal("no hostkey found");
+@@ -226,7 +226,7 @@ main(int argc, char **argv)
+ 		fatal("ssh-keysign not enabled in %s",
+ 		    _PATH_HOST_CONFIG_FILE);
 
 -	if (pledge("stdio dns", NULL) != 0)
 +	if (pledge("stdio", NULL) != 0)
 		fatal("%s: pledge: %s", __progname, strerror(errno));
 
- 	if ((b = sshbuf_new()) == NULL)
+ 	for (i = found = 0; i < NUM_KEYTYPES; i++) {
--- a/Ports/openssh/patches/remove_inet_aton_redef.patch
+++ b/Ports/openssh/patches/remove_inet_aton_redef.patch
@ -1,6 +1,6 @@
-bf47ca1400b0548fdabff37c797c6afe89c2ce60 Remove inet_aton redefinition
+Remove inet_aton redefinition
 diff --git a/openbsd-compat/inet_aton.c b/openbsd-compat/inet_aton.c
-index 093a1720..8b0a0c5d 100644
+index 5efcc5f..14aa47b 100644
 --- a/openbsd-compat/inet_aton.c
 +++ b/openbsd-compat/inet_aton.c
@@ -53,7 +53,7 @@
@ -11,8 +11,8 @@ index 093a1720..8b0a0c5d 100644
 +#if !defined(__serenity__)
 
 #include <sys/types.h>
- #include <sys/param.h>
-@@ -84,96 +84,96 @@ inet_addr(const char *cp)
+ #include <netinet/in.h>
+@@ -83,96 +83,96 @@ inet_addr(const char *cp)
  * This replaces inet_addr, the return value from which
  * cannot distinguish between failure and a local broadcast address.
  */
@ -195,10 +195,10 @@ index 093a1720..8b0a0c5d 100644
 
 #endif /* !defined(HAVE_INET_ATON) */
 diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
-index e5fd6f5b..cb9e1aa0 100644
+index 4316ab8..1c5c338 100644
 --- a/openbsd-compat/openbsd-compat.h
 +++ b/openbsd-compat/openbsd-compat.h
-@@ -153,7 +153,7 @@ char *inet_ntoa(struct in_addr in);
+@@ -166,7 +166,7 @@ char *inet_ntoa(struct in_addr in);
 const char *inet_ntop(int af, const void *src, char *dst, socklen_t size);
 #endif
 
--- a/Ports/openssh/patches/scanf_assume_ssh20.patch
+++ b/Ports/openssh/patches/scanf_assume_ssh20.patch
@ -1,18 +1,18 @@
-05b4800c752f5c57deec758118b28fc329a226e8 %.100s and sscanf doesn't do as expected
+%.100s and sscanf doesn't work as expected
 diff --git a/kex.c b/kex.c
-index 09c7258e..4c670986 100644
+index 0bcd27d..2539cc2 100644
 --- a/kex.c
 +++ b/kex.c
-@@ -1182,7 +1182,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+@@ -1229,7 +1229,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
 	sshbuf_reset(our_version);
 	if (version_addendum != NULL && *version_addendum == '\0')
 		version_addendum = NULL;
 -	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
 +	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s\r\n",
- 	   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+ 	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
 	    version_addendum == NULL ? "" : " ",
 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
-@@ -1210,7 +1210,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+@@ -1257,7 +1257,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
 		r = SSH_ERR_ALLOC_FAIL;
 		goto out;
 	}
@ -21,7 +21,7 @@ index 09c7258e..4c670986 100644
 
 	/* Read other side's version identification. */
 	for (n = 0; ; n++) {
-@@ -1310,6 +1310,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+@@ -1353,6 +1353,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
 		goto out;
 	}
 
@ -29,7 +29,7 @@ index 09c7258e..4c670986 100644
 	/*
 	 * Check that the versions match.  In future this might accept
 	 * several versions and set appropriate flags to handle them.
-@@ -1318,11 +1319,19 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+@@ -1361,11 +1362,19 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
 	    &remote_major, &remote_minor, remote_version) != 3) {
 		error("Bad remote protocol version identification: '%.100s'",
 		    peer_version_string);
@ -48,4 +48,4 @@ index 09c7258e..4c670986 100644
 +#endif
 	debug("Remote protocol version %d.%d, remote software version %.100s",
 	    remote_major, remote_minor, remote_version);
- 	ssh->compat = compat_datafellows(remote_version);
+ 	compat_banner(ssh, remote_version);
--- a/Ports/openssh/patches/scm-rights.patch
+++ b/Ports/openssh/patches/scm-rights.patch
@ -1,6 +1,7 @@
-diff -Naur openssh-portable-9ca7e9c861775dd6c6312bc8aaab687403d24676/monitor_fdpass.c openssh-portable-9ca7e9c861775dd6c6312bc8aaab687403d24676.serenity/monitor_fdpass.c
--- openssh-portable-9ca7e9c861775dd6c6312bc8aaab687403d24676/monitor_fdpass.c	2020-05-27 02:38:00.000000000 +0200
-+++ openssh-portable-9ca7e9c861775dd6c6312bc8aaab687403d24676.serenity/monitor_fdpass.c	2021-05-01 12:32:21.145854477 +0200
+diff --git a/monitor_fdpass.c b/monitor_fdpass.c
+index a07727a..0a9fe75 100644
+--- a/monitor_fdpass.c
+++ b/monitor_fdpass.c
@@ -51,6 +51,7 @@
 int
 mm_send_fd(int sock, int fd)
@ -9,7 +10,7 @@ diff -Naur openssh-portable-9ca7e9c861775dd6c6312bc8aaab687403d24676/monitor_fdp
 #if defined(HAVE_SENDMSG) && (defined(HAVE_ACCRIGHTS_IN_MSGHDR) || defined(HAVE_CONTROL_IN_MSGHDR))
 	struct msghdr msg;
 #ifndef HAVE_ACCRIGHTS_IN_MSGHDR
-@@ -107,11 +108,15 @@
+@@ -106,11 +107,15 @@ mm_send_fd(int sock, int fd)
 	error("%s: file descriptor passing not supported", __func__);
 	return -1;
 #endif
@ -25,8 +26,8 @@ diff -Naur openssh-portable-9ca7e9c861775dd6c6312bc8aaab687403d24676/monitor_fdp
 #if defined(HAVE_RECVMSG) && (defined(HAVE_ACCRIGHTS_IN_MSGHDR) || defined(HAVE_CONTROL_IN_MSGHDR))
 	struct msghdr msg;
 #ifndef HAVE_ACCRIGHTS_IN_MSGHDR
-@@ -184,4 +189,7 @@
- 	error("%s: file descriptor passing not supported", __func__);
+@@ -182,4 +187,7 @@ mm_receive_fd(int sock)
+ 	error_f("file descriptor passing not supported");
 	return -1;
 #endif
 +#else
--- a/Ports/openssh/patches/unveil_privsep.patch
+++ b/Ports/openssh/patches/unveil_privsep.patch
@ -1,8 +1,8 @@
 diff --git a/sshd.c b/sshd.c
-index 6f8f11a..cdbc003 100644
+index 0ee65b5..e2f84de 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -461,12 +461,9 @@ privsep_preauth_child(void)
+@@ -452,12 +452,9 @@ privsep_preauth_child(void)
 
 	/* Demote the child */
 	if (privsep_chroot) {
@ -18,7 +18,7 @@ index 6f8f11a..cdbc003 100644
 
 		/* Drop our privileges */
 		debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
-@@ -1899,25 +1896,6 @@ main(int ac, char **av)
+@@ -1952,25 +1949,6 @@ main(int ac, char **av)
 		    sshkey_type(key));
 	}