Index: crypto/openssh/ssh_namespace.h
===================================================================
--- crypto/openssh/ssh_namespace.h
+++ crypto/openssh/ssh_namespace.h
@@ -87,6 +87,10 @@
 #define chacha_encrypt_bytes			Fssh_chacha_encrypt_bytes
 #define chacha_ivsetup				Fssh_chacha_ivsetup
 #define chacha_keysetup				Fssh_chacha_keysetup
+#define chachapoly_crypt			Fssh_chachapoly_crypt
+#define chachapoly_free				Fssh_chachapoly_free
+#define chachapoly_get_length			Fssh_chachapoly_get_length
+#define chachapoly_new				Fssh_chachapoly_new
 #define chan_ibuf_empty				Fssh_chan_ibuf_empty
 #define chan_is_dead				Fssh_chan_is_dead
 #define chan_mark_dead				Fssh_chan_mark_dead
@@ -553,8 +557,10 @@
 #define ssh_dss_sign				Fssh_ssh_dss_sign
 #define ssh_dss_verify				Fssh_ssh_dss_verify
 #define ssh_ecdsa_sign				Fssh_ssh_ecdsa_sign
+#define ssh_ecdsa_sk_verify			Fssh_ssh_ecdsa_sk_verify
 #define ssh_ecdsa_verify			Fssh_ssh_ecdsa_verify
 #define ssh_ed25519_sign			Fssh_ssh_ed25519_sign
+#define ssh_ed25519_sk_verify			Fssh_ssh_ed25519_sk_verify
 #define ssh_ed25519_verify			Fssh_ssh_ed25519_verify
 #define ssh_err					Fssh_ssh_err
 #define ssh_fetch_identitylist			Fssh_ssh_fetch_identitylist
@@ -871,6 +877,12 @@
 #define sshpkt_start				Fssh_sshpkt_start
 #define sshpkt_vfatal				Fssh_sshpkt_vfatal
 #define sshsigdie				Fssh_sshsigdie
+#define sshsk_add_option			Fssh_sshsk_add_option
+#define sshsk_enroll				Fssh_sshsk_enroll
+#define sshsk_key_from_response			Fssh_sshsk_key_from_response
+#define sshsk_load_resident			Fssh_sshsk_load_resident
+#define sshsk_open				Fssh_sshsk_open
+#define sshsk_sign				Fssh_sshsk_sign
 #define start_progress_meter			Fssh_start_progress_meter
 #define stdfd_devnull				Fssh_stdfd_devnull
 #define stop_progress_meter			Fssh_stop_progress_meter
Index: secure/libexec/Makefile
===================================================================
--- secure/libexec/Makefile
+++ secure/libexec/Makefile
@@ -4,7 +4,7 @@
 
 SUBDIR=
 .if ${MK_OPENSSH} != "no"
-SUBDIR+=sftp-server ssh-keysign ssh-pkcs11-helper
+SUBDIR+=sftp-server ssh-keysign ssh-pkcs11-helper ssh-sk-helper
 .endif
 
 SUBDIR.${MK_TESTS}+= tests
Index: secure/libexec/ssh-sk-helper/Makefile
===================================================================
--- /dev/null
+++ secure/libexec/ssh-sk-helper/Makefile
@@ -0,0 +1,18 @@
+.include <src.opts.mk>
+.include "${SRCTOP}/secure/ssh.mk"
+
+PROG=	ssh-sk-helper
+SRCS=	ssh-sk-helper.c ssh-sk.c sk-usbhid.c
+MAN=	ssh-sk-helper.8
+CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
+CFLAGS+=-I${SRCTOP}/contrib/libfido2/src
+SRCS+=	ssh_namespace.h
+
+LIBADD=	ssh crypto z
+.if ${MK_USB} != "no"
+LIBADD+= fido2 cbor
+.endif
+
+.include <bsd.prog.mk>
+
+.PATH:	${SSHDIR}
Index: secure/ssh.mk
===================================================================
--- secure/ssh.mk
+++ secure/ssh.mk
@@ -1,6 +1,12 @@
 # Common Make variables for OpenSSH
 
+.include <src.opts.mk>
+
 SSHDIR=		${SRCTOP}/crypto/openssh
 
 CFLAGS+= -I${SSHDIR} -include ssh_namespace.h
 SRCS+=	 ssh_namespace.h
+
+.if ${MK_USB} != "no"
+CFLAGS+=	-DENABLE_SK_INTERNAL=1
+.endif
Index: tools/build/mk/OptionalObsoleteFiles.inc
===================================================================
--- tools/build/mk/OptionalObsoleteFiles.inc
+++ tools/build/mk/OptionalObsoleteFiles.inc
@@ -7141,6 +7141,7 @@
 OLD_FILES+=usr/libexec/sftp-server
 OLD_FILES+=usr/libexec/ssh-keysign
 OLD_FILES+=usr/libexec/ssh-pkcs11-helper
+OLD_FILES+=usr/libexec/ssh-sk-helper
 OLD_FILES+=usr/sbin/sshd
 OLD_FILES+=usr/share/man/man1/scp.1.gz
 OLD_FILES+=usr/share/man/man1/sftp.1.gz
@@ -7157,6 +7158,7 @@
 OLD_FILES+=usr/share/man/man8/sftp-server.8.gz
 OLD_FILES+=usr/share/man/man8/ssh-keysign.8.gz
 OLD_FILES+=usr/share/man/man8/ssh-pkcs11-helper.8.gz
+OLD_FILES+=usr/share/man/man8/ssh-sk-helper.8.gz
 OLD_FILES+=usr/share/man/man8/sshd.8.gz
 .endif