Index: head/security/openssh-portable/files/patch-configure.ac
===================================================================
--- head/security/openssh-portable/files/patch-configure.ac	(revision 555517)
+++ head/security/openssh-portable/files/patch-configure.ac	(nonexistent)
@@ -1,11 +0,0 @@
---- configure.ac.orig	2017-04-08 02:15:16 UTC
-+++ configure.ac
-@@ -1544,7 +1545,7 @@ AC_ARG_WITH([libedit],
- 			LIBEDIT=`$PKGCONFIG --libs libedit`
- 			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
- 		else
--			LIBEDIT="-ledit -lcurses"
-+			LIBEDIT="-ledit -lncurses"
- 		fi
- 		OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
- 		AC_CHECK_LIB([edit], [el_init],

Property changes on: head/security/openssh-portable/files/patch-configure.ac
___________________________________________________________________
Deleted: fbsd:nokeywords
## -1 +0,0 ##
-yes
\ No newline at end of property
Deleted: svn:eol-style
## -1 +0,0 ##
-native
\ No newline at end of property
Deleted: svn:mime-type
## -1 +0,0 ##
-text/plain
\ No newline at end of property
Index: head/security/openssh-portable/files/patch-auth2.c
===================================================================
--- head/security/openssh-portable/files/patch-auth2.c	(revision 555517)
+++ head/security/openssh-portable/files/patch-auth2.c	(revision 555518)
@@ -1,60 +1,47 @@
 --- UTC
 r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines
 Changed paths:
    M /head/crypto/openssh/auth2.c
 
 Apply class-imposed login restrictions.
 
---- auth2.c.orig	2018-10-16 17:01:20.000000000 -0700
-+++ auth2.c	2018-11-10 11:35:07.816193000 -0800
-@@ -48,6 +48,7 @@
- #include "sshkey.h"
- #include "hostfile.h"
- #include "auth.h"
-+#include "canohost.h"
- #include "dispatch.h"
- #include "pathnames.h"
- #include "sshbuf.h"
-@@ -258,7 +259,14 @@ input_userauth_request(int type, u_int32_t seq, struct
- 	char *user, *service, *method, *style = NULL;
- 	int authenticated = 0;
+--- auth2.c.orig	2020-09-27 00:25:01.000000000 -0700
++++ auth2.c	2020-11-16 13:55:25.222771000 -0800
+@@ -266,6 +266,10 @@ input_userauth_request(int type, u_int32_t seq, struct
+ 	char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
+ 	int r, authenticated = 0;
  	double tstart = monotime_double();
 +#ifdef HAVE_LOGIN_CAP
 +	login_cap_t *lc;
 +	const char *from_host, *from_ip;
- 
-+	from_host = auth_get_canonical_hostname(ssh, options.use_dns);
-+	from_ip = ssh_remote_ipaddr(ssh);
 +#endif
-+
+ 
  	if (authctxt == NULL)
  		fatal("input_userauth_request: no authctxt");
- 
-@@ -307,6 +315,27 @@ input_userauth_request(int type, u_int32_t seq, struct
- 		    "(%s,%s) -> (%s,%s)",
+@@ -317,6 +321,26 @@ input_userauth_request(int type, u_int32_t seq, struct
+ 		    "not allowed: (%s,%s) -> (%s,%s)",
  		    authctxt->user, authctxt->service, user, service);
  	}
 +
 +#ifdef HAVE_LOGIN_CAP
-+	if (authctxt->pw != NULL) {
-+		lc = login_getpwclass(authctxt->pw);
-+		if (lc == NULL)
-+			lc = login_getclassbyname(NULL, authctxt->pw);
++	if (authctxt->pw != NULL &&
++	    (lc = login_getpwclass(authctxt->pw)) != NULL) {
++		from_host = auth_get_canonical_hostname(ssh, options.use_dns);
++		from_ip = ssh_remote_ipaddr(ssh);
 +		if (!auth_hostok(lc, from_host, from_ip)) {
 +			logit("Denied connection for %.200s from %.200s [%.200s].",
 +			    authctxt->pw->pw_name, from_host, from_ip);
 +			ssh_packet_disconnect(ssh, "Sorry, you are not allowed to connect.");
 +		}
 +		if (!auth_timeok(lc, time(NULL))) {
 +			logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
 +			    authctxt->pw->pw_name, from_host);
 +			ssh_packet_disconnect(ssh, "Logins not available right now.");
 +		}
 +		login_close(lc);
-+		lc = NULL;
 +	}
 +#endif  /* HAVE_LOGIN_CAP */
 +
  	/* reset state */
  	auth2_challenge_stop(ssh);
  
Index: head/security/openssh-portable/files/patch-serverloop.c
===================================================================
--- head/security/openssh-portable/files/patch-serverloop.c	(revision 555517)
+++ head/security/openssh-portable/files/patch-serverloop.c	(revision 555518)
@@ -1,43 +1,52 @@
 ------------------------------------------------------------------------
 r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines
 Changed paths:
    M /head/crypto/openssh/readconf.c
 
 Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED.
 Submitted upstream, no reaction.
 
-Submitted by:   delphij@
-[rewritten for 7.4 by bdrewery@]
+Submitted by:   delphij
+[rewritten for 7.4 by bdrewery]
+[base removed this in 7.8 but it is still useful - bdrewery]
 
---- serverloop.c.orig	2018-11-10 11:38:16.728617000 -0800
-+++ serverloop.c	2018-11-10 11:38:19.497300000 -0800
-@@ -55,6 +55,8 @@
+--- serverloop.c.orig	2020-09-27 00:25:01.000000000 -0700
++++ serverloop.c	2020-11-16 12:58:44.823775000 -0800
+@@ -56,6 +56,8 @@
  #include <unistd.h>
  #include <stdarg.h>
  
 +#include <sys/sysctl.h>
 +
  #include "openbsd-compat/sys-queue.h"
  #include "xmalloc.h"
  #include "packet.h"
-@@ -109,7 +111,19 @@ bind_permitted(int port, uid_t uid)
- {
- 	if (use_privsep)
- 		return 1; /* allow system to decide */
--	if (port < IPPORT_RESERVED && uid != 0)
-+	int ipport_reserved;
+@@ -104,13 +106,27 @@ static void server_init_dispatch(struct ssh *);
+ /* requested tunnel forwarding interface(s), shared with session.c */
+ char *tun_fwd_ifnames = NULL;
+ 
++static int
++ipport_reserved(void)
++{
 +#ifdef __FreeBSD__
-+	size_t len_ipport_reserved = sizeof(ipport_reserved);
++	int old;
++	size_t len = sizeof(old);
 +
 +	if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
-+	    &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
-+		ipport_reserved = IPPORT_RESERVED;
-+	else
-+		ipport_reserved++;
-+#else
-+	ipport_reserved = IPPORT_RESERVED;
++	    &old, &len, NULL, 0) == 0)
++		return (old + 1);
 +#endif
-+	if (port < ipport_reserved && uid != 0)
++	return (IPPORT_RESERVED);
++}
++
+ /* returns 1 if bind to specified port by specified user is permitted */
+ static int
+ bind_permitted(int port, uid_t uid)
+ {
+ 	if (use_privsep)
+ 		return 1; /* allow system to decide */
+-	if (port < IPPORT_RESERVED && uid != 0)
++	if (port < ipport_reserved() && uid != 0)
  		return 0;
  	return 1;
  }
Index: head/security/openssh-portable/files/patch-ssh_config.5
===================================================================
--- head/security/openssh-portable/files/patch-ssh_config.5	(revision 555517)
+++ head/security/openssh-portable/files/patch-ssh_config.5	(revision 555518)
@@ -1,26 +1,27 @@
 --- UTC
 r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) | 5 lines
 
 Document the FreeBSD default for CheckHostIP, which was changed in
 rev 1.2 of readconf.c.
 
---- ssh_config.5.orig	2010-08-04 21:03:13.000000000 -0600
-+++ ssh_config.5	2010-09-14 16:14:13.000000000 -0600
-@@ -377,8 +377,7 @@ or
+--- ssh_config.5.orig	2020-11-16 11:53:55.871161000 -0800
++++ ssh_config.5	2020-11-16 12:43:41.763006000 -0800
+@@ -420,8 +420,7 @@ or
  .Cm no .
  .It Cm CheckHostIP
  If set to
 -.Cm yes
 -(the default),
 +.Cm yes ,
  .Xr ssh 1
  will additionally check the host IP address in the
  .Pa known_hosts
-@@ -390,6 +389,7 @@ in the process, regardless of the settin
- .Cm StrictHostKeyChecking .
+@@ -434,6 +433,8 @@ in the process, regardless of the setting of
  If the option is set to
  .Cm no ,
-+(the default),
  the check will not be executed.
- .It Cm Cipher
- Specifies the cipher to use for encrypting the session
++The default is
++.Cm no .
+ .It Cm Ciphers
+ Specifies the ciphers allowed and their order of preference.
+ Multiple ciphers must be comma-separated.