diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 064b00ab8cb3..2991ee04084c 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,242 +1,241 @@
 PORTNAME=	openssh
-DISTVERSION=	9.3p2
-PORTREVISION=	2
+DISTVERSION=	9.6p1
+PORTREVISION=	1
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
 PKGNAMESUFFIX?=	-portable
 
 MAINTAINER=	bdrewery@FreeBSD.org
 COMMENT=	The portable version of OpenBSD's OpenSSH
 WWW=		https://www.openssh.com/portable.html
 
 LICENSE=	OPENSSH
 LICENSE_NAME=	OpenSSH Licenses
 LICENSE_FILE=	${WRKSRC}/LICENCE
 LICENSE_PERMS=	dist-mirror dist-sell pkg-mirror pkg-sell auto-accept
 
 CONFLICTS?=		openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel
 
 USES=			alias autoreconf compiler:c11 cpe localbase ncurses \
 			pkgconfig ssl
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS=		--prefix=${PREFIX} \
 			--without-zlib-version-check \
 			--with-ssl-engine \
-			--with-mantype=man \
-			--with-Werror
+			--with-mantype=man
 
 ETCOLD=			${PREFIX}/etc
 
 CPE_VENDOR=		openbsd
 
 FLAVORS=			default hpn gssapi
 default_CONFLICTS_INSTALL=	openssh-portable-hpn openssh-portable-gssapi \
 				openssh-portable-x509
 hpn_CONFLICTS_INSTALL=		openssh-portable openssh-portable-gssapi \
 				openssh-portable-x509
 hpn_PKGNAMESUFFIX=		-portable-hpn
 gssapi_CONFLICTS_INSTALL=	openssh-portable openssh-portable-hpn \
 				openssh-portable-x509
 gssapi_PKGNAMESUFFIX=		-portable-gssapi
 
 OPTIONS_DEFINE=		DOCS PAM TCP_WRAPPERS LIBEDIT BSM \
 			HPN KERB_GSSAPI \
 			LDNS NONECIPHER XMSS FIDO_U2F BLACKLISTD
 OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS LDNS FIDO_U2F
 .if ${FLAVOR:U} == hpn
 OPTIONS_DEFAULT+=	HPN NONECIPHER
 .endif
 .if ${FLAVOR:U} == gssapi
 OPTIONS_DEFAULT+=	KERB_GSSAPI MIT
 .endif
 OPTIONS_RADIO=		KERBEROS
 OPTIONS_RADIO_KERBEROS=	MIT HEIMDAL HEIMDAL_BASE
 TCP_WRAPPERS_DESC=	tcp_wrappers support
 BSM_DESC=		OpenBSM Auditing
 KERB_GSSAPI_DESC=	Kerberos/GSSAPI patch (req: GSSAPI)
 HPN_DESC=		HPN-SSH patch
 LDNS_DESC=		SSHFP/LDNS support
 HEIMDAL_DESC=		Heimdal Kerberos (security/heimdal)
 HEIMDAL_BASE_DESC=	Heimdal Kerberos (base)
 MIT_DESC=		MIT Kerberos (security/krb5)
 NONECIPHER_DESC=	NONE Cipher support
 XMSS_DESC=		XMSS key support (experimental)
 FIDO_U2F_DESC=		FIDO/U2F support (security/libfido2)
 BLACKLISTD_DESC=	FreeBSD blacklistd(8) support
 
 OPTIONS_SUB=		yes
 
 PAM_EXTRA_PATCHES=	${FILESDIR}/extra-patch-pam-sshd_config
 
 TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers
 
 LDNS_CONFIGURE_WITH=	ldns=${LOCALBASE}
 LDNS_LIB_DEPENDS=	libldns.so:dns/ldns
 LDNS_EXTRA_PATCHES=	${FILESDIR}/extra-patch-ldns
 
 HPN_CONFIGURE_WITH=		hpn
 NONECIPHER_CONFIGURE_WITH=	nonecipher
 
 MIT_LIB_DEPENDS=		libkrb5.so.3:security/krb5
 HEIMDAL_LIB_DEPENDS=		libkrb5.so.26:security/heimdal
 
 PAM_CONFIGURE_WITH=	pam
 TCP_WRAPPERS_CONFIGURE_WITH=	tcp-wrappers
 
 LIBEDIT_CONFIGURE_WITH=	libedit
 LIBEDIT_USES=		libedit
 BSM_CONFIGURE_ON=	--with-audit=bsm
 
 FIDO_U2F_LIB_DEPENDS=	libfido2.so:security/libfido2
 FIDO_U2F_CONFIGURE_ON=	--with-security-key-builtin
 FIDO_U2F_CONFIGURE_OFF=	--disable-security-key
 
 BLACKLISTD_EXTRA_PATCHES=	${FILESDIR}/extra-patch-blacklistd
 
 ETCDIR?=		${PREFIX}/etc/ssh
 
 .include <bsd.port.pre.mk>
 
 PATCH_SITES+=	http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex
 
 # Must add this patch before HPN due to conflicts
 .if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi
 #BROKEN=	KERB_GSSAPI No patch for ${DISTVERSION} yet.
 .  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 # Needed glue for applying HPN patch without conflict
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-hpn-gss-glue
 .  endif
 # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to
 # pull from.
 GSSAPI_DEBIAN_VERSION=	9.4p1
 GSSAPI_DEBIAN_SUBDIR=	${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-1
 # - Debian does not use a versioned filename so we trick fetch to make one for
 # us with the ?<anything>=/ trick.
 PATCH_SITES+=	https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex
 # Bump this when updating the patch location
 GSSAPI_DISTVERSION=	9.4p1
 PATCHFILES+=	openssh-${GSSAPI_DISTVERSION:U${DISTVERSION}}-gsskex-all-debian-rh-${GSSAPI_DISTVERSION}.patch:-p1:gsskex
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-auth2-gss.c
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-kexgssc.c
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-kexgsss.c
 .endif
 
 .if ${PORT_OPTIONS:MBLACKLISTD}
 CONFIGURE_LIBS+=	-lblacklist
 .endif
 
 # https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1
 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 #BROKEN=			HPN: Not yet updated for ${DISTVERSION} yet.
 PORTDOCS+=		HPN-README
 HPN_VERSION=		14v15
 HPN_DISTVERSION=	7.7p1
 #PATCH_SITES+=		SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn
 #PATCHFILES+=		${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
 EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn:-p2
 .elif !${PORT_OPTIONS:MHPN} && !${PORT_OPTIONS:MNONECIPHER}
 # Apply compatibility patch
 EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn-compat
 .endif
 
 CONFIGURE_ARGS+=	--disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog
 
 # Keep this last
 EXTRA_PATCHES+=		${FILESDIR}/extra-patch-version-addendum
 
 .if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI}
 BROKEN=		KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently
 .endif
 
 .if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so)
 IGNORE=		you have selected HEIMDAL_BASE but do not have heimdal installed in base
 .endif
 
 .if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE}
 .	if ${PORT_OPTIONS:MHEIMDAL_BASE}
 CONFIGURE_LIBS+=	-lgssapi_krb5
 CONFIGURE_ARGS+=	--with-kerberos5=/usr
 .	else
 CONFIGURE_ARGS+=	--with-kerberos5=${LOCALBASE}
 .	endif
 .	if ${OPENSSLBASE} == "/usr"
 CONFIGURE_ARGS+=	--without-rpath
 LDFLAGS=		# empty
 .	endif
 .else
 .	if ${PORT_OPTIONS:MKERB_GSSAPI}
 IGNORE=	KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE
 .	endif
 .endif
 
 .if ${OPENSSLBASE} != "/usr"
 CONFIGURE_ARGS+=	--with-ssl-dir=${OPENSSLBASE}
 .endif
 
 EMPTYDIR=		/var/empty
 
 USE_RC_SUBR=		openssh
 
 # After all
 CONFIGURE_ARGS+=	--sysconfdir=${ETCDIR} --with-privsep-path=${EMPTYDIR}
 .if !empty(CONFIGURE_LIBS)
 CONFIGURE_ARGS+=	--with-libs='${CONFIGURE_LIBS}'
 .endif
 
 CONFIGURE_ARGS+=	--with-xauth=${LOCALBASE}/bin/xauth
 
 RC_SCRIPT_NAME=		openssh
 VERSION_ADDENDUM_DEFAULT?=	${OPSYS}-${PKGNAME}
 
 CFLAGS+=	${CFLAGS_${CHOSEN_COMPILER_TYPE}}
 CFLAGS_gcc=	-Wno-stringop-truncation -Wno-stringop-overflow
 
 SSH_ASKPASS_PATH?=	${LOCALBASE}/bin/ssh-askpass
 
 post-patch:
 	@${REINPLACE_CMD} \
 	    -e 's|install: \(.*\) host-key check-config|install: \1|g' \
 	    ${WRKSRC}/Makefile.in
 	@${REINPLACE_CMD} \
 	    -e 's|$$[{(]libexecdir[})]/ssh-askpass|${SSH_ASKPASS_PATH}|' \
 	    ${WRKSRC}/Makefile.in ${WRKSRC}/configure.ac
 	@${REINPLACE_CMD} \
 	    -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \
 	    ${WRKSRC}/sshd_config
 	@${REINPLACE_CMD} \
 	    -e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \
 	    ${WRKSRC}/sshd_config.5
 	@${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT	"${VERSION_ADDENDUM_DEFAULT}"' >> \
 		${WRKSRC}/version.h
 
 post-configure-XMSS-on:
 	@${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h
 
 post-configure-BLACKLISTD-on:
 	@${ECHO_CMD} "#define USE_BLACKLIST 1" >> ${WRKSRC}/config.h
 
 post-install:
 	${MV} ${STAGEDIR}${ETCDIR}/moduli \
 	    ${STAGEDIR}${ETCDIR}/moduli.sample
 	${MV} ${STAGEDIR}${ETCDIR}/ssh_config \
 	    ${STAGEDIR}${ETCDIR}/ssh_config.sample
 	${MV} ${STAGEDIR}${ETCDIR}/sshd_config \
 	    ${STAGEDIR}${ETCDIR}/sshd_config.sample
 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 	${MKDIR} ${STAGEDIR}${DOCSDIR}
 	${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR}
 .endif
 
 test: build
 	cd ${WRKSRC} && ${SETENV} -i \
 		OBJ=${WRKDIR} ${MAKE_ENV:NHOME=*} \
 		TEST_SHELL=${SH} \
 		SUDO="${SUDO}" \
 		LOGNAME="${LOGNAME}" \
 		HOME="${HOME}" \
 		TEST_SSH_TRACE=yes \
 		PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
 		${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests
 
 .include <bsd.port.post.mk>
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index 244080affd21..8f546e9ce2c5 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,5 +1,3 @@
-TIMESTAMP = 1695396338
-SHA256 (openssh-9.3p2.tar.gz) = 200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8
-SIZE (openssh-9.3p2.tar.gz) = 1835850
-SHA256 (openssh-9.4p1-gsskex-all-debian-rh-9.4p1.patch) = 9492c1db4307aa3fe6e12d77fff01376bf275af2980ae55b926a505aae9e9b14
-SIZE (openssh-9.4p1-gsskex-all-debian-rh-9.4p1.patch) = 131674
+TIMESTAMP = 1703034264
+SHA256 (openssh-9.6p1.tar.gz) = 910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c
+SIZE (openssh-9.6p1.tar.gz) = 1857862
diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat
index 6f6a0e1aa358..b3a5e0973609 100644
--- a/security/openssh-portable/files/extra-patch-hpn-compat
+++ b/security/openssh-portable/files/extra-patch-hpn-compat
@@ -1,46 +1,46 @@
 ------------------------------------------------------------------------
 r294563 | des | 2016-01-22 05:13:46 -0800 (Fri, 22 Jan 2016) | 3 lines
 Changed paths:
    M /head/crypto/openssh/servconf.c
 
 Instead of removing the NoneEnabled option, mark it as unsupported.
 (should have done this in r291198, but didn't think of it until now)
 
 ------------------------------------------------------------------------
 ------------------------------------------------------------------------
 r294564 | des | 2016-01-22 06:22:11 -0800 (Fri, 22 Jan 2016) | 2 lines
 Changed paths:
    M /head/crypto/openssh/readconf.c
 
 r294563 was incomplete; re-add the client-side options as well.
 
 ------------------------------------------------------------------------
 
---- readconf.c.orig	2023-02-03 11:17:45.506822000 -0800
-+++ readconf.c	2023-02-03 11:30:14.894959000 -0800
-@@ -323,6 +323,12 @@ static struct {
- 	{ "knownhostscommand", oKnownHostsCommand },
- 	{ "requiredrsasize", oRequiredRSASize },
+--- readconf.c.orig	2023-12-19 17:09:41.366788000 -0800
++++ readconf.c	2023-12-19 17:10:24.155247000 -0800
+@@ -329,6 +329,12 @@
  	{ "enableescapecommandline", oEnableEscapeCommandline },
+ 	{ "obscurekeystroketiming", oObscureKeystrokeTiming },
+ 	{ "channeltimeout", oChannelTimeout },
 +	{ "hpndisabled", oDeprecated },
 +	{ "hpnbuffersize", oDeprecated },
 +	{ "tcprcvbufpoll", oDeprecated },
 +	{ "tcprcvbuf", oDeprecated },
 +	{ "noneenabled", oUnsupported },
 +	{ "noneswitch", oUnsupported },
  
  	{ NULL, oBadOption }
  };
---- servconf.c.orig	2023-02-02 04:21:54.000000000 -0800
-+++ servconf.c	2023-02-03 11:31:00.387624000 -0800
-@@ -695,6 +695,10 @@ static struct {
+--- servconf.c.orig	2023-12-19 17:11:52.320491000 -0800
++++ servconf.c	2023-12-19 17:12:43.950318000 -0800
+@@ -693,6 +693,10 @@
  	{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
  	{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
  	{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
 +	{ "noneenabled", sUnsupported, SSHCFG_ALL },
 +	{ "hpndisabled", sDeprecated, SSHCFG_ALL },
 +	{ "hpnbuffersize", sDeprecated, SSHCFG_ALL },
 +	{ "tcprcvbufpoll", sDeprecated, SSHCFG_ALL },
  	{ NULL, sBadOption, 0 }
  };
  
diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c
index 9fc1abc0dfab..cd85012d883f 100644
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@@ -1,97 +1,97 @@
 --- UTC
 r110506 | des | 2003-02-07 09:48:27 -0600 (Fri, 07 Feb 2003) | 4 lines
 
 Set the ruid to the euid at startup as a workaround for a bug in pam_ssh.
 
 r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
 
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.
 
---- ssh-agent.c.orig	2023-02-02 04:21:54.000000000 -0800
-+++ ssh-agent.c	2023-02-03 10:55:34.277561000 -0800
-@@ -188,11 +188,28 @@ static int restrict_websafe = 1;
+--- ssh-agent.c.orig	2023-12-18 06:59:50.000000000 -0800
++++ ssh-agent.c	2023-12-19 17:16:22.128981000 -0800
+@@ -196,11 +196,28 @@
  /* Refuse signing of non-SSH messages for web-origin FIDO keys */
  static int restrict_websafe = 1;
  
 +/*
 + * Client connection count; incremented in new_socket() and decremented in
 + * close_socket().  When it reaches 0, ssh-agent will exit.  Since it is
 + * normally initialized to 1, it will never reach 0.  However, if the -x
 + * option is specified, it is initialized to 0 in main(); in that case,
 + * ssh-agent will exit as soon as it has had at least one client but no
 + * longer has any.
 + */
 +static int xcount = 1;
 +
  static void
  close_socket(SocketEntry *e)
  {
  	size_t i;
 +	int last = 0;
  
 +	if (e->type == AUTH_CONNECTION) {
 +		debug("xcount %d -> %d", xcount, xcount - 1);
 +		if (--xcount == 0)
 +			last = 1;
 +	}
 +
  	close(e->fd);
  	sshbuf_free(e->input);
  	sshbuf_free(e->output);
-@@ -205,6 +222,8 @@ close_socket(SocketEntry *e)
+@@ -213,6 +230,8 @@
  	memset(e, '\0', sizeof(*e));
  	e->fd = -1;
  	e->type = AUTH_UNUSED;
 +	if (last)
 +		cleanup_exit(0);
  }
  
  static void
-@@ -1698,6 +1717,10 @@ new_socket(sock_type type, int fd)
+@@ -1893,6 +1912,10 @@
  
  	debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" :
  	    (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
 +	if (type == AUTH_CONNECTION) {
 +		debug("xcount %d -> %d", xcount, xcount + 1);
 +		++xcount;
 +	}
  	set_nonblock(fd);
  
  	if (fd > max_fd)
-@@ -1990,7 +2013,7 @@ usage(void)
+@@ -2184,7 +2207,7 @@
  usage(void)
  {
  	fprintf(stderr,
 -	    "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
 +	    "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
  	    "                 [-O option] [-P allowed_providers] [-t life]\n"
  	    "       ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]\n"
  	    "                 [-P allowed_providers] [-t life] command [arg ...]\n"
-@@ -2024,6 +2047,7 @@ main(int ac, char **av)
+@@ -2218,6 +2241,7 @@
  	/* drop */
- 	setegid(getgid());
- 	setgid(getgid());
-+	setuid(geteuid());
+ 	(void)setegid(getgid());
+ 	(void)setgid(getgid());
++	(void)setuid(geteuid());
  
  	platform_disable_tracing(0);	/* strict=no */
  
-@@ -2035,7 +2059,7 @@ main(int ac, char **av)
+@@ -2229,7 +2253,7 @@
  	__progname = ssh_get_progname(av[0]);
  	seed_rng();
  
 -	while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) {
 +	while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:x")) != -1) {
  		switch (ch) {
  		case 'E':
  			fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -2084,6 +2108,9 @@ main(int ac, char **av)
+@@ -2280,6 +2304,9 @@
  				fprintf(stderr, "Invalid lifetime\n");
  				usage();
  			}
 +			break;
 +		case 'x':
 +			xcount = 0;
  			break;
  		default:
  			usage();
diff --git a/security/openssh-portable/files/patch-ssh_config b/security/openssh-portable/files/patch-ssh_config
deleted file mode 100644
index efad15f126fd..000000000000
--- a/security/openssh-portable/files/patch-ssh_config
+++ /dev/null
@@ -1,17 +0,0 @@
---- UTC
-r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) | 5 lines
-
-Document the FreeBSD default for CheckHostIP, which was changed in
-rev 1.2 of readconf.c.
-
---- ssh_config.orig	2010-01-12 01:40:27.000000000 -0700
-+++ ssh_config	2010-09-14 16:14:13.000000000 -0600
-@@ -27,7 +27,7 @@
- #   GSSAPIAuthentication no
- #   GSSAPIDelegateCredentials no
- #   BatchMode no
--#   CheckHostIP yes
-+#   CheckHostIP no
- #   AddressFamily any
- #   ConnectTimeout 0
- #   StrictHostKeyChecking ask