Index: readconf.h
===================================================================
--- readconf.h
+++ readconf.h
@@ -169,6 +169,8 @@
 	char   *hostbased_accepted_algos;
 	char   *pubkey_accepted_algos;
 
+	char   *version_addendum; /* Appended to SSH banner */
+
 	char   *jump_user;
 	char   *jump_host;
 	int	jump_port;
Index: readconf.c
===================================================================
--- readconf.c
+++ readconf.c
@@ -67,6 +67,7 @@
 #include "uidswap.h"
 #include "myproposal.h"
 #include "digest.h"
+#include "version.h"
 
 /* Format of the configuration file:
 
@@ -141,6 +142,7 @@
 
 typedef enum {
 	oBadOption,
+	oVersionAddendum,
 	oHost, oMatch, oInclude,
 	oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
 	oGatewayPorts, oExitOnForwardFailure,
@@ -320,6 +322,7 @@
 	{ "proxyjump", oProxyJump },
 	{ "securitykeyprovider", oSecurityKeyProvider },
 	{ "knownhostscommand", oKnownHostsCommand },
+	{ "versionaddendum", oVersionAddendum },
 
 	{ NULL, oBadOption }
 };
@@ -1964,6 +1967,22 @@
 		intptr = &options->fork_after_authentication;
 		goto parse_flag;
 
+	case oVersionAddendum:
+		if (str == NULL)
+			fatal("%.200s line %d: Missing argument.", filename,
+			    linenum);
+		len = strspn(str, WHITESPACE);
+		if (*activep && options->version_addendum == NULL) {
+			if (strcasecmp(str + len, "none") == 0)
+				options->version_addendum = xstrdup("");
+			else if (strchr(str + len, '\r') != NULL)
+				fatal("%.200s line %d: Invalid argument",
+				    filename, linenum);
+			else
+				options->version_addendum = xstrdup(str + len);
+		}
+		return 0;
+
 	case oIgnoreUnknown:
 		charptr = &options->ignored_unknown;
 		goto parse_string;
@@ -2291,6 +2310,7 @@
 initialize_options(Options * options)
 {
 	memset(options, 'X', sizeof(*options));
+	options->version_addendum = NULL;
 	options->forward_agent = -1;
 	options->forward_agent_sock_path = NULL;
 	options->forward_x11 = -1;
@@ -2653,6 +2673,8 @@
 	/* options->hostname will be set in the main program if appropriate */
 	/* options->host_key_alias should not be set by default */
 	/* options->preferred_authentications will be set in ssh */
+	if (options->version_addendum == NULL)
+		options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
 
 	/* success */
 	ret = 0;
Index: servconf.c
===================================================================
--- servconf.c
+++ servconf.c
@@ -70,6 +70,7 @@
 #include "auth.h"
 #include "myproposal.h"
 #include "digest.h"
+#include "version.h"
 
 static void add_listen_addr(ServerOptions *, const char *,
     const char *, int);
@@ -428,7 +429,7 @@
 	if (options->ip_qos_bulk == -1)
 		options->ip_qos_bulk = IPTOS_DSCP_CS1;
 	if (options->version_addendum == NULL)
-		options->version_addendum = xstrdup("");
+		options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
 		options->fwd_opts.streamlocal_bind_mask = 0177;
 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
Index: ssh.1
===================================================================
--- ssh.1
+++ ssh.1
@@ -575,6 +575,7 @@
 .It User
 .It UserKnownHostsFile
 .It VerifyHostKeyDNS
+.It VersionAddendum
 .It VisualHostKey
 .It XAuthLocation
 .El
Index: ssh.c
===================================================================
--- ssh.c
+++ ssh.c
@@ -871,8 +871,14 @@
 			}
 			break;
 		case 'V':
-			fprintf(stderr, "%s, %s\n",
-			    SSH_RELEASE, SSH_OPENSSL_VERSION);
+			if (options.version_addendum != NULL &&
+			    *options.version_addendum != '\0')
+				fprintf(stderr, "%s %s, %s\n", SSH_RELEASE,
+				    options.version_addendum,
+				    OPENSSL_VERSION_STRING);
+			else
+				fprintf(stderr, "%s, %s\n", SSH_RELEASE,
+				    OPENSSL_VERSION_STRING);
 			if (opt == 'V')
 				exit(0);
 			break;
@@ -1139,7 +1145,8 @@
 	    !use_syslog);
 
 	if (debug_flag)
-		logit("%s, %s", SSH_RELEASE, SSH_OPENSSL_VERSION);
+		/* version_addendum is always NULL at this point */
+		logit("%s, %s", SSH_RELEASE, OPENSSL_VERSION_STRING);
 
 	/* Parse the configuration files */
 	process_config_files(host_arg, pw, 0, &want_final_pass);
Index: ssh_config
===================================================================
--- ssh_config
+++ ssh_config
@@ -44,3 +44,4 @@
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
 #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+#   VersionAddendum FreeBSD-2021XXXX
Index: ssh_config.5
===================================================================
--- ssh_config.5
+++ ssh_config.5
@@ -1959,6 +1959,14 @@
 .Sx VERIFYING HOST KEYS
 in
 .Xr ssh 1 .
+.It Cm VersionAddendum
+Specifies a string to append to the regular version string to identify
+OS- or site-specific modifications.
+The default is
+.Dq FreeBSD-2021XXXX .
+The value
+.Cm none
+may be used to disable this.
 .It Cm VisualHostKey
 If this flag is set to
 .Cm yes ,
Index: sshconnect.c
===================================================================
--- sshconnect.c
+++ sshconnect.c
@@ -1553,7 +1553,8 @@
 	lowercase(host);
 
 	/* Exchange protocol version identification strings with the server. */
-	if ((r = kex_exchange_identification(ssh, timeout_ms, NULL)) != 0)
+	if ((r = kex_exchange_identification(ssh, timeout_ms,
+	    options.version_addendum)) != 0)
 		sshpkt_fatal(ssh, r, "banner exchange");
 
 	/* Put the connection into non-blocking mode. */
Index: sshd.c
===================================================================
--- sshd.c
+++ sshd.c
@@ -903,7 +903,14 @@
 static void
 usage(void)
 {
-	fprintf(stderr, "%s, %s\n", SSH_RELEASE, SSH_OPENSSL_VERSION);
+	if (options.version_addendum != NULL &&
+	    *options.version_addendum != '\0')
+		fprintf(stderr, "%s %s, %s\n",
+		    SSH_RELEASE,
+		    options.version_addendum, OPENSSL_VERSION_STRING);
+	else
+		fprintf(stderr, "%s, %s\n",
+		    SSH_RELEASE, OPENSSL_VERSION_STRING);
 	fprintf(stderr,
 "usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n"
 "            [-E log_file] [-f config_file] [-g login_grace_time]\n"
Index: sshd_config
===================================================================
--- sshd_config
+++ sshd_config
@@ -100,7 +100,7 @@
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
-#VersionAddendum none
+#VersionAddendum FreeBSD-2021XXXX
 
 # no default banner path
 #Banner none
Index: sshd_config.5
===================================================================
--- sshd_config.5
+++ sshd_config.5
@@ -1779,7 +1779,10 @@
 Optionally specifies additional text to append to the SSH protocol banner
 sent by the server upon connection.
 The default is
-.Cm none .
+.Qq FreeBSD-2021XXXX .
+The value
+.Cm none
+may be used to disable this.
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Xr sshd 8 Ns 's
Index: version.h
===================================================================
--- version.h
+++ version.h
@@ -4,3 +4,11 @@
 
 #define SSH_PORTABLE	"p1"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+
+#define SSH_VERSION_FREEBSD	"FreeBSD-2021XXXX"
+
+#ifdef WITH_OPENSSL
+#define OPENSSL_VERSION_STRING	OpenSSL_version(OPENSSL_VERSION)
+#else
+#define OPENSSL_VERSION_STRING	"without OpenSSL"
+#endif