diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index ee88c6fca548..75f4d206e817 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,241 +1,241 @@
 # Created by: dwcjr@inethouston.net
 
 PORTNAME=	openssh
 DISTVERSION=	8.9p1
-PORTREVISION=	2
+PORTREVISION=	3
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
 PKGNAMESUFFIX?=	-portable
 
 MAINTAINER=	bdrewery@FreeBSD.org
 COMMENT=	The portable version of OpenBSD's OpenSSH
 
 LICENSE=	OPENSSH
 LICENSE_NAME=	OpenSSH Licenses
 LICENSE_FILE=	${WRKSRC}/LICENCE
 LICENSE_PERMS=	dist-mirror dist-sell pkg-mirror pkg-sell auto-accept
 
 CONFLICTS?=		openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel
 
 USES=			alias autoreconf compiler:c11 cpe localbase ncurses \
 			pkgconfig ssl
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS=		--prefix=${PREFIX} \
 			--with-ssl-engine \
 			--with-mantype=man \
 			--with-Werror
 
 ETCOLD=			${PREFIX}/etc
 
 CPE_VENDOR=		openbsd
 
 FLAVORS=			default hpn gssapi
 default_CONFLICTS_INSTALL=	openssh-portable-hpn openssh-portable-gssapi \
 				openssh-portable-x509
 hpn_CONFLICTS_INSTALL=		openssh-portable openssh-portable-gssapi \
 				openssh-portable-x509
 hpn_PKGNAMESUFFIX=		-portable-hpn
 gssapi_CONFLICTS_INSTALL=	openssh-portable openssh-portable-hpn \
 				openssh-portable-x509
 gssapi_PKGNAMESUFFIX=		-portable-gssapi
 
 OPTIONS_DEFINE=		DOCS PAM TCP_WRAPPERS LIBEDIT BSM \
 			HPN KERB_GSSAPI \
 			LDNS NONECIPHER XMSS FIDO_U2F BLACKLISTD
 OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS LDNS FIDO_U2F
 .if ${FLAVOR:U} == hpn
 OPTIONS_DEFAULT+=	HPN NONECIPHER
 .endif
 .if ${FLAVOR:U} == gssapi
 OPTIONS_DEFAULT+=	KERB_GSSAPI MIT
 .endif
 OPTIONS_RADIO=		KERBEROS
 OPTIONS_RADIO_KERBEROS=	MIT HEIMDAL HEIMDAL_BASE
 TCP_WRAPPERS_DESC=	tcp_wrappers support
 BSM_DESC=		OpenBSM Auditing
 KERB_GSSAPI_DESC=	Kerberos/GSSAPI patch (req: GSSAPI)
 HPN_DESC=		HPN-SSH patch
 LDNS_DESC=		SSHFP/LDNS support
 HEIMDAL_DESC=		Heimdal Kerberos (security/heimdal)
 HEIMDAL_BASE_DESC=	Heimdal Kerberos (base)
 MIT_DESC=		MIT Kerberos (security/krb5)
 NONECIPHER_DESC=	NONE Cipher support
 XMSS_DESC=		XMSS key support (experimental)
 FIDO_U2F_DESC=		FIDO/U2F support (security/libfido2)
 BLACKLISTD_DESC=	FreeBSD blacklistd(8) support
 
 OPTIONS_SUB=		yes
 
 PAM_EXTRA_PATCHES=	${FILESDIR}/extra-patch-pam-sshd_config
 
 TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers
 
 LDNS_CONFIGURE_WITH=	ldns=${LOCALBASE}
 LDNS_LIB_DEPENDS=	libldns.so:dns/ldns
 LDNS_EXTRA_PATCHES=	${FILESDIR}/extra-patch-ldns
 
 HPN_CONFIGURE_WITH=		hpn
 NONECIPHER_CONFIGURE_WITH=	nonecipher
 
 MIT_LIB_DEPENDS=		libkrb5.so.3:security/krb5
 HEIMDAL_LIB_DEPENDS=		libkrb5.so.26:security/heimdal
 
 PAM_CONFIGURE_WITH=	pam
 TCP_WRAPPERS_CONFIGURE_WITH=	tcp-wrappers
 
 LIBEDIT_CONFIGURE_WITH=	libedit
 LIBEDIT_USES=		libedit
 BSM_CONFIGURE_ON=	--with-audit=bsm
 
 FIDO_U2F_LIB_DEPENDS=	libfido2.so:security/libfido2
 FIDO_U2F_CONFIGURE_ON=	--with-security-key-builtin
 FIDO_U2F_CONFIGURE_OFF=	--disable-security-key
 
 BLACKLISTD_EXTRA_PATCHES=	${FILESDIR}/extra-patch-blacklistd
 
 ETCDIR?=		${PREFIX}/etc/ssh
 
 .include <bsd.port.pre.mk>
 
 PATCH_SITES+=	http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex
 
 # Must add this patch before HPN due to conflicts
 .if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi
 #BROKEN=	KERB_GSSAPI No patch for ${DISTVERSION} yet.
 .  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 # Needed glue for applying HPN patch without conflict
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-hpn-gss-glue
 .  endif
 # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to
 # pull from.
 GSSAPI_DEBIAN_SUBDIR=	${DISTVERSION}-3
 # - Debian does not use a versioned filename so we trick fetch to make one for
 # us with the ?<anything>=/ trick.
 PATCH_SITES+=	https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex
 # Bump this when updating the patch location
 GSSAPI_UPDATE_DATE=	20220203
 PATCHFILES+=	openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-auth2-gss.c
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-kexgssc.c
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-kexgsss.c
 .endif
 
 .if ${PORT_OPTIONS:MBLACKLISTD}
 CONFIGURE_LIBS+=	-lblacklist
 .endif
 
 # https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1
 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 #BROKEN=			HPN: Not yet updated for ${DISTVERSION} yet.
 PORTDOCS+=		HPN-README
 HPN_VERSION=		14v15
 HPN_DISTVERSION=	7.7p1
 #PATCH_SITES+=		SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn
 #PATCHFILES+=		${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
 EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn:-p2
 .elif !${PORT_OPTIONS:MHPN} && !${PORT_OPTIONS:MNONECIPHER}
 # Apply compatibility patch
 EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn-compat
 .endif
 
 CONFIGURE_ARGS+=	--disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog
 
 # Keep this last
 EXTRA_PATCHES+=		${FILESDIR}/extra-patch-version-addendum
 
 .if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI}
 BROKEN=		KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently
 .endif
 
 .if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so)
 IGNORE=		you have selected HEIMDAL_BASE but do not have heimdal installed in base
 .endif
 
 .if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE}
 .	if ${PORT_OPTIONS:MHEIMDAL_BASE}
 CONFIGURE_LIBS+=	-lgssapi_krb5
 CONFIGURE_ARGS+=	--with-kerberos5=/usr
 .	else
 CONFIGURE_ARGS+=	--with-kerberos5=${LOCALBASE}
 .	endif
 .	if ${OPENSSLBASE} == "/usr"
 CONFIGURE_ARGS+=	--without-rpath
 LDFLAGS=		# empty
 .	endif
 .else
 .	if ${PORT_OPTIONS:MKERB_GSSAPI}
 IGNORE=	KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE
 .	endif
 .endif
 
 .if ${OPENSSLBASE} != "/usr"
 CONFIGURE_ARGS+=	--with-ssl-dir=${OPENSSLBASE}
 .endif
 
 EMPTYDIR=		/var/empty
 
 USE_RC_SUBR=		openssh
 
 # After all
 CONFIGURE_ARGS+=	--sysconfdir=${ETCDIR} --with-privsep-path=${EMPTYDIR}
 .if !empty(CONFIGURE_LIBS)
 CONFIGURE_ARGS+=	--with-libs='${CONFIGURE_LIBS}'
 .endif
 
 CONFIGURE_ARGS+=	--with-xauth=${LOCALBASE}/bin/xauth
 
 RC_SCRIPT_NAME=		openssh
 VERSION_ADDENDUM_DEFAULT?=	${OPSYS}-${PKGNAME}
 
 CFLAGS+=	${CFLAGS_${CHOSEN_COMPILER_TYPE}}
 CFLAGS_gcc=	-Wno-stringop-truncation -Wno-stringop-overflow
 
 SSH_ASKPASS_PATH?=	${LOCALBASE}/bin/ssh-askpass
 
 post-patch:
 	@${REINPLACE_CMD} \
 	    -e 's|install: \(.*\) host-key check-config|install: \1|g' \
 	    ${WRKSRC}/Makefile.in
 	@${REINPLACE_CMD} \
 	    -e 's|$$[{(]libexecdir[})]/ssh-askpass|${SSH_ASKPASS_PATH}|' \
 	    ${WRKSRC}/Makefile.in ${WRKSRC}/configure.ac
 	@${REINPLACE_CMD} \
 	    -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \
 	    ${WRKSRC}/sshd_config
 	@${REINPLACE_CMD} \
 	    -e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \
 	    ${WRKSRC}/sshd_config.5
 	@${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT	"${VERSION_ADDENDUM_DEFAULT}"' >> \
 		${WRKSRC}/version.h
 
 post-configure-XMSS-on:
 	@${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h
 
 post-configure-BLACKLISTD-on:
 	@${ECHO_CMD} "#define USE_BLACKLIST 1" >> ${WRKSRC}/config.h
 
 post-install:
 	${MV} ${STAGEDIR}${ETCDIR}/moduli \
 	    ${STAGEDIR}${ETCDIR}/moduli.sample
 	${MV} ${STAGEDIR}${ETCDIR}/ssh_config \
 	    ${STAGEDIR}${ETCDIR}/ssh_config.sample
 	${MV} ${STAGEDIR}${ETCDIR}/sshd_config \
 	    ${STAGEDIR}${ETCDIR}/sshd_config.sample
 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 	${MKDIR} ${STAGEDIR}${DOCSDIR}
 	${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR}
 .endif
 
 test: build
 	cd ${WRKSRC} && ${SETENV} -i \
 		OBJ=${WRKDIR} ${MAKE_ENV:NHOME=*} \
 		TEST_SHELL=${SH} \
 		SUDO="${SUDO}" \
 		LOGNAME="${LOGNAME}" \
 		HOME="${HOME}" \
 		TEST_SSH_TRACE=yes \
 		PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
 		${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests
 
 .include <bsd.port.post.mk>
diff --git a/security/openssh-portable/files/openssh.in b/security/openssh-portable/files/openssh.in
index 663915f1f931..9526a70b0d07 100644
--- a/security/openssh-portable/files/openssh.in
+++ b/security/openssh-portable/files/openssh.in
@@ -1,178 +1,179 @@
 #!/bin/sh
 
 # PROVIDE: openssh
 # REQUIRE: DAEMON
 # KEYWORD: shutdown
 #
 # Add the following lines to /etc/rc.conf to enable openssh:
 #
 # openssh_enable (bool):	Set it to "YES" to enable openssh.
 #				Default is "NO".
 # openssh_flags (flags):	Set extra flags to openssh.
 #				Default is "". see sshd(1).
 # openssh_pidfile (file):	Set full path to pid file.
 
 . /etc/rc.subr
 
 name="openssh"
 rcvar=openssh_enable
 
 load_rc_config ${name}
 
 : ${openssh_enable:="NO"}
 : ${openssh_skipportscheck="NO"}
 
+# These only control ssh-keygen automatically generating host keys.
 : ${openssh_dsa_enable="YES"}
 : ${openssh_dsa_flags=""}
 : ${openssh_rsa_enable="YES"}
 : ${openssh_rsa_flags=""}
 : ${openssh_ecdsa_enable="YES"}
 : ${openssh_ecdsa_flags=""}
 : ${openssh_ed25519_enable="YES"}
 : ${openssh_ed25519_flags=""}
 
 command=%%PREFIX%%/sbin/sshd
 extra_commands="configtest reload keygen"
 start_precmd="${name}_checks"
 reload_precmd="${name}_checks"
 restart_precmd="${name}_checks"
 configtest_cmd="${name}_configtest"
 keygen_cmd="${name}_keygen"
 pidfile=${openssh_pidfile:="/var/run/sshd.pid"}
 
 openssh_keygen()
 {
 	local skip_dsa= skip_rsa= skip_ecdsa= skip_ed25519=
 	checkyesno openssh_dsa_enable || skip_dsa=y
 	checkyesno openssh_rsa_enable || skip_rsa=y
 	checkyesno openssh_ecdsa_enable || skip_ecdsa=y
 	checkyesno openssh_ed25519_enable || skip_ed25519=y
 
 	if [ \( -n "$skip_dsa" -o -f %%ETCDIR%%/ssh_host_dsa_key \) -a \
 	    \( -n "$skip_rsa" -o -f %%ETCDIR%%/ssh_host_rsa_key \) -a \
 	    \( -n "$skip_ecdsa" -o -f %%ETCDIR%%/ssh_host_ecdsa_key \) -a \
 	    \( -n "$skip_ed25519" -o -f %%ETCDIR%%/ssh_host_ed25519_key \) ]; then
 		return 0
 	fi
 
 	umask 022
 
 	# Can't do anything if ssh is not installed
 	[ -x %%PREFIX%%/bin/ssh-keygen ] ||
 		err 1 "%%PREFIX%%/bin/ssh-keygen does not exist."
 
 	if [ -f %%ETCDIR%%/ssh_host_dsa_key ]; then
 		echo "You already have a DSA host key" \
 			"in %%ETCDIR%%/ssh_host_dsa_key"
 		echo "Skipping protocol version 2 DSA Key Generation"
 	elif checkyesno openssh_dsa_enable; then
 		%%PREFIX%%/bin/ssh-keygen -t dsa $openssh_dsa_flags \
 			-f %%ETCDIR%%/ssh_host_dsa_key -N ''
 	fi
 
 	if [ -f %%ETCDIR%%/ssh_host_rsa_key ]; then
 		echo "You already have a RSA host key" \
 			"in %%ETCDIR%%/ssh_host_rsa_key"
 		echo "Skipping protocol version 2 RSA Key Generation"
 	elif checkyesno openssh_rsa_enable; then
 		%%PREFIX%%/bin/ssh-keygen -t rsa $openssh_rsa_flags \
 			-f %%ETCDIR%%/ssh_host_rsa_key -N ''
 	fi
 
 	if [ -f %%ETCDIR%%/ssh_host_ecdsa_key ]; then
 		echo "You already have a Elliptic Curve DSA host key" \
 			"in %%ETCDIR%%/ssh_host_ecdsa_key"
 		echo "Skipping protocol version 2 Elliptic Curve DSA Key Generation"
 	elif checkyesno openssh_ecdsa_enable; then
 		%%PREFIX%%/bin/ssh-keygen -t ecdsa $openssh_ecdsa_flags \
 			-f %%ETCDIR%%/ssh_host_ecdsa_key -N ''
 	fi
 
 	if [ -f %%ETCDIR%%/ssh_host_ed25519_key ]; then
 		echo "You already have a Elliptic Curve ED25519 host key" \
 			"in %%ETCDIR%%/ssh_host_ed25519_key"
 		echo "Skipping protocol version 2 Elliptic Curve ED25519 Key Generation"
 	elif checkyesno openssh_ed25519_enable; then
 		%%PREFIX%%/bin/ssh-keygen -t ed25519 $openssh_ed22519_flags \
 			-f %%ETCDIR%%/ssh_host_ed25519_key -N ''
 	fi
 }
 
 openssh_check_same_ports(){
     # check if opensshd don't use base system sshd's port
     #
     # openssh binds ports in priority (lowest first):
     # Port from sshd_config
     # -p option from command line
     # ListenAddress addr:port from sshd_config
 
 
     #check if opensshd-portable installed in replacement of base sshd
     if [ "%%ETCDIR%%" = "/etc/ssh" ]; then
         return 1
     fi
 
     self_port=$(awk '$1~/^ListenAddress/ \
         {mlen=match($0,":[0-9]*$"); print \
         substr($0,mlen+1,length($0)-mlen)}' %%ETCDIR%%/sshd_config)
     if [ -z "$self_port" ]; then
         self_port=$(echo $openssh_flags | awk \
             '{for (i = 1; i <= NF; i++) if ($i == "-p") \
             {i++; printf "%s", $i; break; }; }')
         if [ -z "$self_port" ]; then
             self_port=$(awk '$1~/^Port/ {print $2}' \
                 %%ETCDIR%%/sshd_config)
         fi
     fi
     # assume default 22 port
     if [ -z "$self_port" ]; then
         self_port=22
     fi
 
     load_rc_config "sshd"
 
     base_sshd_port=$(awk '$1~/^ListenAddress/ \
         {mlen=match($0,":[0-9]*$"); print \
         substr($0,mlen+1,length($0)-mlen)}' /etc/ssh/sshd_config)
     if [ -z "$base_sshd_port" ]; then
         base_sshd_port=$(echo $sshd_flags | awk \
             '{for (i = 1; i <= NF; i++) if ($i == "-p") \
             {i++; printf "%s", $i; break; }; }')
         if [ -z "$base_sshd_port" ]; then
             base_sshd_port=$(awk '$1~/^Port/ {print $2}' \
                 /etc/ssh/sshd_config)
         fi
     fi
     if [ -z "$base_sshd_port" ]; then
         base_sshd_port=22
     fi
 
     # self_port and base_sshd_port may have multiple values. Compare them all
     for sport in ${self_port}; do
 	    for bport in ${base_sshd_port}; do
 		    [ ${sport} -eq ${bport} ] && return 0
 	    done
     done
 
     return 1
 }
 
 openssh_configtest()
 {
 	echo "Performing sanity check on ${name} configuration."
 	eval ${command} ${openssh_flags} -t
 }
 
 openssh_checks()
 {
 	if checkyesno sshd_enable ; then
       if openssh_check_same_ports && ! checkyesno openssh_skipportscheck; then
           err 1 "sshd_enable is set, but $name and /usr/sbin/sshd use the same port"
       fi
 	fi
 
 	openssh_keygen
 	openssh_configtest
 }
 
 run_rc_command "$1"