Index: crypto/openssh/config.h
===================================================================
--- crypto/openssh/config.h
+++ crypto/openssh/config.h
@@ -396,6 +396,14 @@
    don't. */
 #define HAVE_DECL_OFFSETOF 1
 
+/* Define to 1 if you have the declaration of 'OPENSSL_IS_BORINGSSL', and to 0
+   if you don't. */
+/* #undef HAVE_DECL_OPENSSL_IS_BORINGSSL */
+
+/* Define to 1 if you have the declaration of 'OPENSSL_NO_DSA', and to 0 if
+   you don't. */
+/* #undef HAVE_DECL_OPENSSL_NO_DSA */
+
 /* Define to 1 if you have the declaration of 'O_NONBLOCK', and to 0 if you
    don't. */
 #define HAVE_DECL_O_NONBLOCK 1
@@ -1912,7 +1920,7 @@
 /* Prepend the address family to IP tunnel traffic */
 /* #undef SSH_TUN_PREPEND_AF */
 
-/* Define to 1 if all of the C90 standard headers exist (not just the ones
+/* Define to 1 if all of the C89 standard headers exist (not just the ones
    required in a freestanding environment). This macro is provided for
    backward compatibility; new code need not use it. */
 #define STDC_HEADERS 1
@@ -1923,6 +1931,9 @@
 /* syslog_r function is safe to use in in a signal handler */
 /* #undef SYSLOG_R_SAFE_IN_SIGHAND */
 
+/* Have sshd notify systemd on start/reload */
+/* #undef SYSTEMD_NOTIFY */
+
 /* Support routing domains using Linux VRF */
 /* #undef SYS_RDOMAIN_LINUX */
 
@@ -2020,7 +2031,7 @@
 /* Number of bits in a file offset, on hosts where this is settable. */
 /* #undef _FILE_OFFSET_BITS */
 
-/* Define for large files, on AIX-style hosts. */
+/* Define to 1 on platforms where this makes off_t a 64-bit type. */
 /* #undef _LARGE_FILES */
 
 /* log for bad login attempts */
@@ -2032,6 +2043,12 @@
 /* Specify location of ssh.pid */
 #define _PATH_SSH_PIDDIR "/var/run"
 
+/* Number of bits in time_t, on hosts where this is settable. */
+/* #undef _TIME_BITS */
+
+/* Define to 1 on platforms where this makes time_t a 64-bit type. */
+/* #undef __MINGW_USE_VC2005_COMPAT */
+
 /* Define if we don't have struct __res_state in resolv.h */
 /* #undef __res_state */
 
Index: secure/lib/libssh/Makefile
===================================================================
--- secure/lib/libssh/Makefile
+++ secure/lib/libssh/Makefile
@@ -21,7 +21,7 @@
 	poly1305.c chacha.c cipher-chachapoly.c cipher-chachapoly-libcrypto.c \
 	ssh-ed25519.c digest-openssl.c digest-libc.c \
 	hmac.c ed25519.c hash.c \
-	kex.c kexdh.c kexgex.c kexecdh.c kexc25519.c \
+	kex.c kex-names.c kexdh.c kexgex.c kexecdh.c kexc25519.c \
 	kexgexc.c kexgexs.c \
 	kexsntrup761x25519.c sntrup761.c kexgen.c \
 	sftp-realpath.c platform-pledge.c platform-tracing.c platform-misc.c \
Index: secure/libexec/Makefile
===================================================================
--- secure/libexec/Makefile
+++ secure/libexec/Makefile
@@ -2,7 +2,7 @@
 
 SUBDIR=
 .if ${MK_OPENSSH} != "no"
-SUBDIR+=sftp-server ssh-keysign ssh-pkcs11-helper ssh-sk-helper
+SUBDIR+=sftp-server ssh-keysign ssh-pkcs11-helper ssh-sk-helper sshd-session
 .endif
 
 SUBDIR.${MK_TESTS}+= tests
Index: secure/libexec/sshd-session/Makefile
===================================================================
--- /dev/null
+++ secure/libexec/sshd-session/Makefile
@@ -0,0 +1,66 @@
+.include <src.opts.mk>
+.include "${SRCTOP}/secure/ssh.mk"
+
+PROG=	sshd-session
+SRCS=	sshd-session.c auth-rhosts.c auth-passwd.c \
+	audit.c audit-bsm.c audit-linux.c platform.c \
+	sshpty.c sshlogin.c servconf.c serverloop.c \
+	auth.c auth2.c auth2-methods.c auth-options.c session.c \
+	auth2-chall.c groupaccess.c \
+	auth-bsdauth.c auth2-hostbased.c auth2-kbdint.c \
+	auth2-none.c auth2-passwd.c auth2-pubkey.c auth2-pubkeyfile.c \
+	monitor.c monitor_wrap.c auth-krb5.c \
+	auth2-gss.c gss-serv.c gss-serv-krb5.c \
+	loginrec.c auth-pam.c auth-shadow.c auth-sia.c \
+	sftp-server.c sftp-common.c \
+	sandbox-null.c sandbox-rlimit.c sandbox-systrace.c sandbox-darwin.c \
+	sandbox-seccomp-filter.c sandbox-capsicum.c sandbox-pledge.c \
+	sandbox-solaris.c uidswap.c
+PACKAGE=	ssh
+
+# gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile
+SRCS+=	gss-genr.c
+
+MAN=
+
+# pam should always happen before ssh here for static linking
+LIBADD=	pam ssh util
+
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+DPADD+=	${LIBLDNS}
+LDADD+=	-lldns
+.endif
+
+.if ${MK_AUDIT} != "no"
+CFLAGS+= -DUSE_BSM_AUDIT=1 -DHAVE_GETAUDIT_ADDR=1
+LIBADD+=	bsm
+.endif
+
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+CFLAGS+= -DUSE_BLACKLIST=1 -I${SRCTOP}/contrib/blocklist/include
+SRCS+=	blacklist.c
+LIBADD+= blacklist
+LDFLAGS+=-L${LIBBLACKLISTDIR}
+.endif
+
+.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
+CFLAGS+= -include krb5_config.h
+SRCS+=	krb5_config.h
+LIBADD+=	gssapi_krb5 gssapi krb5
+.endif
+
+.if ${MK_TCP_WRAPPERS} != "no"
+CFLAGS+=	-DLIBWRAP=1
+LIBADD+=	wrap
+.endif
+
+LIBADD+=	crypto
+
+.if defined(LOCALBASE)
+CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
+.endif
+
+.include <bsd.prog.mk>
+
+.PATH:	${SSHDIR}
Index: secure/usr.sbin/sshd/Makefile
===================================================================
--- secure/usr.sbin/sshd/Makefile
+++ secure/usr.sbin/sshd/Makefile
@@ -4,56 +4,17 @@
 CONFS=	moduli sshd_config
 CONFSDIR=	/etc/ssh
 PROG=	sshd
-SRCS=	sshd.c auth-rhosts.c auth-passwd.c \
-	audit.c audit-bsm.c audit-linux.c platform.c \
-	sshpty.c sshlogin.c servconf.c serverloop.c \
-	auth.c auth2.c auth-options.c session.c \
-	auth2-chall.c groupaccess.c \
-	auth-bsdauth.c auth2-hostbased.c auth2-kbdint.c \
-	auth2-none.c auth2-passwd.c auth2-pubkey.c auth2-pubkeyfile.c \
-	monitor.c monitor_wrap.c auth-krb5.c \
-	auth2-gss.c gss-serv.c gss-serv-krb5.c \
-	loginrec.c auth-pam.c auth-shadow.c auth-sia.c \
-	srclimit.c sftp-server.c sftp-common.c \
-	sandbox-null.c sandbox-rlimit.c sandbox-systrace.c sandbox-darwin.c \
-	sandbox-seccomp-filter.c sandbox-capsicum.c sandbox-pledge.c \
-	sandbox-solaris.c uidswap.c
+SRCS=	sshd.c \
+	platform-listen.o \
+	servconf.c sshpty.c srclimit.c groupaccess.c auth2-methods.c
 PACKAGE=	ssh
 
-# gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile
-SRCS+=	gss-genr.c
-
 MAN=	sshd.8 sshd_config.5
 
 # Don't rebuild based on moduli.c
 moduli: .MADE
 
-# pam should always happen before ssh here for static linking
-LIBADD=	pam ssh util
-
-.if ${MK_LDNS} != "no"
-CFLAGS+=	-DHAVE_LDNS=1
-#DPADD+=	${LIBLDNS}
-#LDADD+=	-lldns
-.endif
-
-.if ${MK_AUDIT} != "no"
-CFLAGS+= -DUSE_BSM_AUDIT=1 -DHAVE_GETAUDIT_ADDR=1
-LIBADD+=	bsm
-.endif
-
-.if ${MK_BLACKLIST_SUPPORT} != "no"
-CFLAGS+= -DUSE_BLACKLIST=1 -I${SRCTOP}/contrib/blocklist/include
-SRCS+=	blacklist.c
-LIBADD+= blacklist
-LDFLAGS+=-L${LIBBLACKLISTDIR}
-.endif
-
-.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
-CFLAGS+= -include krb5_config.h
-SRCS+=	krb5_config.h
-LIBADD+=	gssapi_krb5 gssapi krb5
-.endif
+LIBADD=	ssh util
 
 .if ${MK_TCP_WRAPPERS} != "no"
 CFLAGS+=	-DLIBWRAP=1
@@ -62,7 +23,6 @@
 
 LIBADD+=	crypto
 
-
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}