diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 75f4d206e817..f55a7bd0c630 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,241 +1,241 @@
 # Created by: dwcjr@inethouston.net
 
 PORTNAME=	openssh
 DISTVERSION=	8.9p1
-PORTREVISION=	3
+PORTREVISION=	4
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
 PKGNAMESUFFIX?=	-portable
 
 MAINTAINER=	bdrewery@FreeBSD.org
 COMMENT=	The portable version of OpenBSD's OpenSSH
 
 LICENSE=	OPENSSH
 LICENSE_NAME=	OpenSSH Licenses
 LICENSE_FILE=	${WRKSRC}/LICENCE
 LICENSE_PERMS=	dist-mirror dist-sell pkg-mirror pkg-sell auto-accept
 
 CONFLICTS?=		openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel
 
 USES=			alias autoreconf compiler:c11 cpe localbase ncurses \
 			pkgconfig ssl
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS=		--prefix=${PREFIX} \
 			--with-ssl-engine \
 			--with-mantype=man \
 			--with-Werror
 
 ETCOLD=			${PREFIX}/etc
 
 CPE_VENDOR=		openbsd
 
 FLAVORS=			default hpn gssapi
 default_CONFLICTS_INSTALL=	openssh-portable-hpn openssh-portable-gssapi \
 				openssh-portable-x509
 hpn_CONFLICTS_INSTALL=		openssh-portable openssh-portable-gssapi \
 				openssh-portable-x509
 hpn_PKGNAMESUFFIX=		-portable-hpn
 gssapi_CONFLICTS_INSTALL=	openssh-portable openssh-portable-hpn \
 				openssh-portable-x509
 gssapi_PKGNAMESUFFIX=		-portable-gssapi
 
 OPTIONS_DEFINE=		DOCS PAM TCP_WRAPPERS LIBEDIT BSM \
 			HPN KERB_GSSAPI \
 			LDNS NONECIPHER XMSS FIDO_U2F BLACKLISTD
 OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS LDNS FIDO_U2F
 .if ${FLAVOR:U} == hpn
 OPTIONS_DEFAULT+=	HPN NONECIPHER
 .endif
 .if ${FLAVOR:U} == gssapi
 OPTIONS_DEFAULT+=	KERB_GSSAPI MIT
 .endif
 OPTIONS_RADIO=		KERBEROS
 OPTIONS_RADIO_KERBEROS=	MIT HEIMDAL HEIMDAL_BASE
 TCP_WRAPPERS_DESC=	tcp_wrappers support
 BSM_DESC=		OpenBSM Auditing
 KERB_GSSAPI_DESC=	Kerberos/GSSAPI patch (req: GSSAPI)
 HPN_DESC=		HPN-SSH patch
 LDNS_DESC=		SSHFP/LDNS support
 HEIMDAL_DESC=		Heimdal Kerberos (security/heimdal)
 HEIMDAL_BASE_DESC=	Heimdal Kerberos (base)
 MIT_DESC=		MIT Kerberos (security/krb5)
 NONECIPHER_DESC=	NONE Cipher support
 XMSS_DESC=		XMSS key support (experimental)
 FIDO_U2F_DESC=		FIDO/U2F support (security/libfido2)
 BLACKLISTD_DESC=	FreeBSD blacklistd(8) support
 
 OPTIONS_SUB=		yes
 
 PAM_EXTRA_PATCHES=	${FILESDIR}/extra-patch-pam-sshd_config
 
 TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers
 
 LDNS_CONFIGURE_WITH=	ldns=${LOCALBASE}
 LDNS_LIB_DEPENDS=	libldns.so:dns/ldns
 LDNS_EXTRA_PATCHES=	${FILESDIR}/extra-patch-ldns
 
 HPN_CONFIGURE_WITH=		hpn
 NONECIPHER_CONFIGURE_WITH=	nonecipher
 
 MIT_LIB_DEPENDS=		libkrb5.so.3:security/krb5
 HEIMDAL_LIB_DEPENDS=		libkrb5.so.26:security/heimdal
 
 PAM_CONFIGURE_WITH=	pam
 TCP_WRAPPERS_CONFIGURE_WITH=	tcp-wrappers
 
 LIBEDIT_CONFIGURE_WITH=	libedit
 LIBEDIT_USES=		libedit
 BSM_CONFIGURE_ON=	--with-audit=bsm
 
 FIDO_U2F_LIB_DEPENDS=	libfido2.so:security/libfido2
 FIDO_U2F_CONFIGURE_ON=	--with-security-key-builtin
 FIDO_U2F_CONFIGURE_OFF=	--disable-security-key
 
 BLACKLISTD_EXTRA_PATCHES=	${FILESDIR}/extra-patch-blacklistd
 
 ETCDIR?=		${PREFIX}/etc/ssh
 
 .include <bsd.port.pre.mk>
 
 PATCH_SITES+=	http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex
 
 # Must add this patch before HPN due to conflicts
 .if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi
 #BROKEN=	KERB_GSSAPI No patch for ${DISTVERSION} yet.
 .  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 # Needed glue for applying HPN patch without conflict
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-hpn-gss-glue
 .  endif
 # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to
 # pull from.
 GSSAPI_DEBIAN_SUBDIR=	${DISTVERSION}-3
 # - Debian does not use a versioned filename so we trick fetch to make one for
 # us with the ?<anything>=/ trick.
 PATCH_SITES+=	https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex
 # Bump this when updating the patch location
 GSSAPI_UPDATE_DATE=	20220203
 PATCHFILES+=	openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-auth2-gss.c
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-kexgssc.c
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-kexgsss.c
 .endif
 
 .if ${PORT_OPTIONS:MBLACKLISTD}
 CONFIGURE_LIBS+=	-lblacklist
 .endif
 
 # https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1
 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 #BROKEN=			HPN: Not yet updated for ${DISTVERSION} yet.
 PORTDOCS+=		HPN-README
 HPN_VERSION=		14v15
 HPN_DISTVERSION=	7.7p1
 #PATCH_SITES+=		SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn
 #PATCHFILES+=		${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
 EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn:-p2
 .elif !${PORT_OPTIONS:MHPN} && !${PORT_OPTIONS:MNONECIPHER}
 # Apply compatibility patch
 EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn-compat
 .endif
 
 CONFIGURE_ARGS+=	--disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog
 
 # Keep this last
 EXTRA_PATCHES+=		${FILESDIR}/extra-patch-version-addendum
 
 .if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI}
 BROKEN=		KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently
 .endif
 
 .if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so)
 IGNORE=		you have selected HEIMDAL_BASE but do not have heimdal installed in base
 .endif
 
 .if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE}
 .	if ${PORT_OPTIONS:MHEIMDAL_BASE}
 CONFIGURE_LIBS+=	-lgssapi_krb5
 CONFIGURE_ARGS+=	--with-kerberos5=/usr
 .	else
 CONFIGURE_ARGS+=	--with-kerberos5=${LOCALBASE}
 .	endif
 .	if ${OPENSSLBASE} == "/usr"
 CONFIGURE_ARGS+=	--without-rpath
 LDFLAGS=		# empty
 .	endif
 .else
 .	if ${PORT_OPTIONS:MKERB_GSSAPI}
 IGNORE=	KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE
 .	endif
 .endif
 
 .if ${OPENSSLBASE} != "/usr"
 CONFIGURE_ARGS+=	--with-ssl-dir=${OPENSSLBASE}
 .endif
 
 EMPTYDIR=		/var/empty
 
 USE_RC_SUBR=		openssh
 
 # After all
 CONFIGURE_ARGS+=	--sysconfdir=${ETCDIR} --with-privsep-path=${EMPTYDIR}
 .if !empty(CONFIGURE_LIBS)
 CONFIGURE_ARGS+=	--with-libs='${CONFIGURE_LIBS}'
 .endif
 
 CONFIGURE_ARGS+=	--with-xauth=${LOCALBASE}/bin/xauth
 
 RC_SCRIPT_NAME=		openssh
 VERSION_ADDENDUM_DEFAULT?=	${OPSYS}-${PKGNAME}
 
 CFLAGS+=	${CFLAGS_${CHOSEN_COMPILER_TYPE}}
 CFLAGS_gcc=	-Wno-stringop-truncation -Wno-stringop-overflow
 
 SSH_ASKPASS_PATH?=	${LOCALBASE}/bin/ssh-askpass
 
 post-patch:
 	@${REINPLACE_CMD} \
 	    -e 's|install: \(.*\) host-key check-config|install: \1|g' \
 	    ${WRKSRC}/Makefile.in
 	@${REINPLACE_CMD} \
 	    -e 's|$$[{(]libexecdir[})]/ssh-askpass|${SSH_ASKPASS_PATH}|' \
 	    ${WRKSRC}/Makefile.in ${WRKSRC}/configure.ac
 	@${REINPLACE_CMD} \
 	    -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \
 	    ${WRKSRC}/sshd_config
 	@${REINPLACE_CMD} \
 	    -e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \
 	    ${WRKSRC}/sshd_config.5
 	@${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT	"${VERSION_ADDENDUM_DEFAULT}"' >> \
 		${WRKSRC}/version.h
 
 post-configure-XMSS-on:
 	@${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h
 
 post-configure-BLACKLISTD-on:
 	@${ECHO_CMD} "#define USE_BLACKLIST 1" >> ${WRKSRC}/config.h
 
 post-install:
 	${MV} ${STAGEDIR}${ETCDIR}/moduli \
 	    ${STAGEDIR}${ETCDIR}/moduli.sample
 	${MV} ${STAGEDIR}${ETCDIR}/ssh_config \
 	    ${STAGEDIR}${ETCDIR}/ssh_config.sample
 	${MV} ${STAGEDIR}${ETCDIR}/sshd_config \
 	    ${STAGEDIR}${ETCDIR}/sshd_config.sample
 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 	${MKDIR} ${STAGEDIR}${DOCSDIR}
 	${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR}
 .endif
 
 test: build
 	cd ${WRKSRC} && ${SETENV} -i \
 		OBJ=${WRKDIR} ${MAKE_ENV:NHOME=*} \
 		TEST_SHELL=${SH} \
 		SUDO="${SUDO}" \
 		LOGNAME="${LOGNAME}" \
 		HOME="${HOME}" \
 		TEST_SSH_TRACE=yes \
 		PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
 		${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests
 
 .include <bsd.port.post.mk>
diff --git a/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata
new file mode 100644
index 000000000000..bf3889265b77
--- /dev/null
+++ b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata
@@ -0,0 +1,43 @@
+commit fc3c19a9fceeea48a9259ac3833a125804342c0e
+Author: Ed Maste <emaste@FreeBSD.org>
+Date:   Sat Oct 6 21:32:55 2018 +0000
+
+    sshd: address capsicum issues
+    
+    * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in
+      capability mode.
+    * Cache timezone data via caph_cache_tzdata() as we cannot access the
+      timezone file.
+    * Reverse resolve hostname before entering capability mode.
+    
+    PR:             231172
+    Submitted by:   naito.yuichiro@gmail.com
+    Reviewed by:    cem, des
+    Approved by:    re (rgrimes)
+    MFC after:      3 weeks
+    Differential Revision:  https://reviews.freebsd.org/D17128
+
+Notes:
+    svn path=/head/; revision=339216
+
+diff --git crypto/openssh/sandbox-capsicum.c crypto/openssh/sandbox-capsicum.c
+index 5f41d526292b..f728abd18250 100644
+--- sandbox-capsicum.c
++++ sandbox-capsicum.c
+@@ -31,6 +31,7 @@ __RCSID("$FreeBSD$");
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <capsicum_helpers.h>
+ 
+ #include "log.h"
+ #include "monitor.h"
+@@ -71,6 +72,8 @@ ssh_sandbox_child(struct ssh_sandbox *box)
+ 	struct rlimit rl_zero;
+ 	cap_rights_t rights;
+ 
++	caph_cache_tzdata();
++
+ 	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
+ 
+ 	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
diff --git a/security/openssh-portable/files/patch-FreeBSD-logincap b/security/openssh-portable/files/patch-FreeBSD-logincap
new file mode 100644
index 000000000000..78d772e8a024
--- /dev/null
+++ b/security/openssh-portable/files/patch-FreeBSD-logincap
@@ -0,0 +1,69 @@
+(pulled from the PR)
+
+commit 27ceebbc2402e4c98203c7eef9696f4bd3d326f8
+Author: Ed Maste <emaste@FreeBSD.org>
+Date:   Tue Aug 31 15:30:50 2021 -0400
+
+    openssh: simplify login class restrictions
+
+    Login class-based restrictions were introduced in 5b400a39b8ad.  The
+    code was adapted for sshd's Capsicum sandbox and received many changes
+    over time, including at least fc3c19a9fcee, bd393de91cc3, and
+    e8c56fba2926.
+
+    During an attempt to upstream the work a much simpler approach was
+    suggested.  Adopt it now in the in-tree OpenSSH to reduce conflicts with
+    future updates.
+
+    Submitted by:   Yuchiro Naito (against OpenSSH-portable on GitHub)
+    Obtained from:  https://github.com/openssh/openssh-portable/pull/262
+    Reviewed by:    allanjude, kevans
+    MFC after:      2 weeks
+    Differential Revision:  https://reviews.freebsd.org/D31760
+
+
+--- auth.c
++++ auth.c
+@@ -566,6 +566,9 @@ getpwnamallow(struct ssh *ssh, const char *user)
+ {
+ #ifdef HAVE_LOGIN_CAP
+ 	extern login_cap_t *lc;
++#ifdef HAVE_AUTH_HOSTOK
++	const char *from_host, *from_ip;
++#endif
+ #ifdef BSD_AUTH
+ 	auth_session_t *as;
+ #endif
+@@ -611,6 +614,21 @@ getpwnamallow(struct ssh *ssh, const char *user)
+ 		debug("unable to get login class: %s", user);
+ 		return (NULL);
+ 	}
++#ifdef HAVE_AUTH_HOSTOK
++	from_host = auth_get_canonical_hostname(ssh, options.use_dns);
++	from_ip = ssh_remote_ipaddr(ssh);
++	if (!auth_hostok(lc, from_host, from_ip)) {
++		debug("Denied connection for %.200s from %.200s [%.200s].",
++		      pw->pw_name, from_host, from_ip);
++		return (NULL);
++	}
++#endif /* HAVE_AUTH_HOSTOK */
++#ifdef HAVE_AUTH_TIMEOK
++	if (!auth_timeok(lc, time(NULL))) {
++		debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name);
++		return (NULL);
++	}
++#endif /* HAVE_AUTH_TIMEOK */
+ #ifdef BSD_AUTH
+ 	if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
+ 	    auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
+--- configure.ac
++++ configure.ac
+@@ -1784,6 +1784,8 @@ AC_SUBST([PICFLAG])
+ 
+ dnl    Checks for library functions. Please keep in alphabetical order
+ AC_CHECK_FUNCS([ \
++	auth_hostok \
++	auth_timeok \
+ 	Blowfish_initstate \
+ 	Blowfish_expandstate \
+ 	Blowfish_expand0state \
diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c
deleted file mode 100644
index 38d366aeaf71..000000000000
--- a/security/openssh-portable/files/patch-auth2.c
+++ /dev/null
@@ -1,47 +0,0 @@
---- UTC
-r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines
-Changed paths:
-   M /head/crypto/openssh/auth2.c
-
-Apply class-imposed login restrictions.
-
---- auth2.c.orig	2020-09-27 00:25:01.000000000 -0700
-+++ auth2.c	2020-11-16 13:55:25.222771000 -0800
-@@ -266,6 +266,10 @@ input_userauth_request(int type, u_int32_t seq, struct
- 	char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
- 	int r, authenticated = 0;
- 	double tstart = monotime_double();
-+#ifdef HAVE_LOGIN_CAP
-+	login_cap_t *lc;
-+	const char *from_host, *from_ip;
-+#endif
- 
- 	if (authctxt == NULL)
- 		fatal("input_userauth_request: no authctxt");
-@@ -317,6 +321,26 @@ input_userauth_request(int type, u_int32_t seq, struct
- 		    "not allowed: (%s,%s) -> (%s,%s)",
- 		    authctxt->user, authctxt->service, user, service);
- 	}
-+
-+#ifdef HAVE_LOGIN_CAP
-+	if (authctxt->pw != NULL &&
-+	    (lc = login_getpwclass(authctxt->pw)) != NULL) {
-+		from_host = auth_get_canonical_hostname(ssh, options.use_dns);
-+		from_ip = ssh_remote_ipaddr(ssh);
-+		if (!auth_hostok(lc, from_host, from_ip)) {
-+			logit("Denied connection for %.200s from %.200s [%.200s].",
-+			    authctxt->pw->pw_name, from_host, from_ip);
-+			ssh_packet_disconnect(ssh, "Sorry, you are not allowed to connect.");
-+		}
-+		if (!auth_timeok(lc, time(NULL))) {
-+			logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
-+			    authctxt->pw->pw_name, from_host);
-+			ssh_packet_disconnect(ssh, "Logins not available right now.");
-+		}
-+		login_close(lc);
-+	}
-+#endif  /* HAVE_LOGIN_CAP */
-+
- 	/* reset state */
- 	auth2_challenge_stop(ssh);
-