security/openssh-portable: Sync blocklist with base, include by default.

The patch is included by default in base as well. It remains
off by default though.

Added glue for HPN patch to apply.

Reviewed By:		bdrewery
Differential Revision:	https://reviews.freebsd.org/D52880
PR:			280203

4 files changed, 241 insertions, 201 deletions

diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index a92ec62232d3..d8be89255105 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	openssh
 DISTVERSION=	10.1p1
-PORTREVISION=	4
+PORTREVISION=	5
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -43,7 +43,7 @@ gssapi_PKGNAMESUFFIX=		-portable-gssapi
 OPTIONS_DEFINE=		DOCS PAM TCP_WRAPPERS LIBEDIT BSM \
 			HPN KERB_GSSAPI \
 			LDNS NONECIPHER XMSS FIDO_U2F BLACKLISTD
-OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS LDNS FIDO_U2F
+OPTIONS_DEFAULT=	BLACKLISTD LIBEDIT PAM TCP_WRAPPERS LDNS FIDO_U2F
 .if ${FLAVOR:U} == hpn
 OPTIONS_DEFAULT+=	HPN NONECIPHER
 .endif
@@ -100,6 +100,14 @@ ETCDIR?=		${PREFIX}/etc/ssh
 PATCH_SITES+=	http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex
 
 # Must add this patch before HPN due to conflicts
+.if !${PORT_OPTIONS:MBLACKLISTD}
+.  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
+# Needed glue for applying HPN patch without conflict
+EXTRA_PATCHES+=	${FILESDIR}/extra-patch-no-blocklistd-hpn-glue
+.  endif
+.endif
+
+# Must add this patch before HPN due to conflicts
 .if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi
 # BROKEN=	KERB_GSSAPI No patch for ${DISTVERSION} yet.
 .  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
diff --git a/security/openssh-portable/files/extra-patch-blacklistd b/security/openssh-portable/files/extra-patch-blacklistd
index a7145e42ce9b..3118103c5d74 100644
--- a/security/openssh-portable/files/extra-patch-blacklistd
+++ b/security/openssh-portable/files/extra-patch-blacklistd
@@ -1,9 +1,80 @@
---- blacklist.c.orig	2021-04-28 13:37:52.679784000 -0700
-+++ blacklist.c	2021-04-28 13:56:45.677805000 -0700
-@@ -0,0 +1,92 @@
+--- Makefile.in.orig	2025-10-02 12:00:00.000000000
++++ Makefile.in	2025-10-02 12:00:00.000000000
+@@ -208,6 +208,8 @@
+ FIXPATHSCMD	= $(SED) $(PATHSUBS)
+ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
+ 		     @UNSUPPORTED_ALGORITHMS@
++
++LIBSSH_OBJS+=	blacklist.o
+ 
+ all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
+ 
+--- auth-pam.c.orig	2025-10-02 12:00:00.000000000
++++ auth-pam.c	2025-10-02 12:00:00.000000000
+@@ -101,6 +101,7 @@
+ #endif
+ #include "monitor_wrap.h"
+ #include "srclimit.h"
++#include "blacklist_client.h"
+ 
+ extern ServerOptions options;
+ extern struct sshbuf *loginmsg;
+@@ -936,6 +937,8 @@
+ 				sshbuf_free(buffer);
+ 				return (0);
+ 			}
++			BLACKLIST_NOTIFY(NULL, BLACKLIST_AUTH_FAIL,
++			    "PAM illegal user");
+ 			error("PAM: %s for %s%.100s from %.100s", msg,
+ 			    sshpam_authctxt->valid ? "" : "illegal user ",
+ 			    sshpam_authctxt->user, sshpam_rhost);
+--- auth.c.orig	2025-10-02 12:00:00.000000000
++++ auth.c	2025-10-02 12:00:00.000000000
+@@ -75,6 +75,7 @@
+ #include "monitor_wrap.h"
+ #include "ssherr.h"
+ #include "channels.h"
++#include "blacklist_client.h"
+ 
+ /* import */
+ extern ServerOptions options;
+@@ -285,8 +286,12 @@
+ 		authmsg = "Postponed";
+ 	else if (partial)
+ 		authmsg = "Partial";
+-	else
++	else {
+ 		authmsg = authenticated ? "Accepted" : "Failed";
++		if (authenticated)
++			BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK,
++			    "Authenticated");
++	}
+ 
+ 	if ((extra = format_method_key(authctxt)) == NULL) {
+ 		if (authctxt->auth_method_info != NULL)
+@@ -334,6 +339,7 @@
+ {
+ 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
+ 
++	BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Maximum attempts exceeded");
+ 	error("maximum authentication attempts exceeded for "
+ 	    "%s%.100s from %.200s port %d ssh2",
+ 	    authctxt->valid ? "" : "invalid user ",
+@@ -494,6 +500,8 @@
+ 	aix_restoreauthdb();
+ #endif
+ 	if (pw == NULL) {
++		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
++		    "Invalid user");
+ 		logit("Invalid user %.100s from %.100s port %d",
+ 		    user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
+ #ifdef CUSTOM_FAILED_LOGIN
+--- blacklist.c.orig	2025-10-02 12:00:00.000000000
++++ blacklist.c	2025-10-02 12:00:00.000000000
+@@ -0,0 +1,97 @@
 +/*-
 + * Copyright (c) 2015 The NetBSD Foundation, Inc.
-+ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
++ * Copyright (c) 2016 The FreeBSD Foundation
 + * All rights reserved.
 + *
 + * Portions of this software were developed by Kurt Lidl
@@ -48,11 +119,15 @@
 +#include "packet.h"
 +#include "log.h"
 +#include "misc.h"
++#include "servconf.h"
 +#include <blacklist.h>
 +#include "blacklist_client.h"
 +
 +static struct blacklist *blstate = NULL;
 +
++/* import */
++extern ServerOptions options;
++
 +/* internal definition from bl.h */
 +struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list));
 +
@@ -82,23 +157,24 @@
 +blacklist_init(void)
 +{
 +
-+	blstate = bl_create(false, NULL, im_log);
++	if (options.use_blacklist)
++		blstate = bl_create(false, NULL, im_log);
 +}
 +
 +void
-+blacklist_notify(int action, struct ssh *ssh, const char *msg)
++blacklist_notify(struct ssh *ssh, int action, const char *msg)
 +{
 +
 +	if (blstate != NULL && ssh_packet_connection_is_on_socket(ssh))
 +		(void)blacklist_r(blstate, action,
 +		ssh_packet_get_connection_in(ssh), msg);
 +}
---- blacklist_client.h.orig	2020-11-16 16:45:22.823087000 -0800
-+++ blacklist_client.h	2020-11-16 16:45:09.761962000 -0800
+--- blacklist_client.h.orig	2025-10-02 12:00:00.000000000
++++ blacklist_client.h	2025-10-02 12:00:00.000000000
 @@ -0,0 +1,61 @@
 +/*-
 + * Copyright (c) 2015 The NetBSD Foundation, Inc.
-+ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
++ * Copyright (c) 2016 The FreeBSD Foundation
 + * All rights reserved.
 + *
 + * Portions of this software were developed by Kurt Lidl
@@ -143,23 +219,62 @@
 +
 +#ifdef USE_BLACKLIST
 +void blacklist_init(void);
-+void blacklist_notify(int, struct ssh *, const char *);
++void blacklist_notify(struct ssh *, int, const char *);
 +
 +#define BLACKLIST_INIT() blacklist_init()
-+#define BLACKLIST_NOTIFY(x, ssh, msg) blacklist_notify(x, ssh, msg)
++#define BLACKLIST_NOTIFY(ssh,x,msg) blacklist_notify(ssh,x,msg)
 +
 +#else
 +
 +#define BLACKLIST_INIT()
-+#define BLACKLIST_NOTIFY(x, ssh, msg)
++#define BLACKLIST_NOTIFY(ssh,x,msg)
 +
 +#endif
 +
 +
 +#endif /* BLACKLIST_CLIENT_H */
---- servconf.c.orig	2021-04-15 20:55:25.000000000 -0700
-+++ servconf.c	2021-04-28 13:36:19.591999000 -0700
-@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions *options)
+--- monitor.c.orig	2025-10-02 12:00:00.000000000
++++ monitor.c	2025-10-02 12:00:00.000000000
+@@ -85,6 +85,8 @@
+ #include "misc.h"
+ #include "servconf.h"
+ #include "monitor.h"
++#include "blacklist_client.h"
++
+ #ifdef GSSAPI
+ #include "ssh-gss.h"
+ #endif
+@@ -353,16 +355,24 @@
+ 			}
+ 		}
+ 		if (authctxt->failures > options.max_authtries) {
++			BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
++			    "Too many authentication attempts");
+ 			/* Shouldn't happen */
+ 			fatal_f("privsep child made too many authentication "
+ 			    "attempts");
+ 		}
+ 	}
+ 
+-	if (!authctxt->valid)
+-		fatal_f("authenticated invalid user");
+-	if (strcmp(auth_method, "unknown") == 0)
++	if (!authctxt->valid) {
++		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
++		    "Authenticated invalid user");
++		fatal_f("authenticated invalid user");
++	}
++	if (strcmp(auth_method, "unknown") == 0) {
++		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
++		    "Authentication method name unknown");
+ 		fatal_f("authentication method name unknown");
++	}
+ 
+ 	debug_f("user %s authenticated by privileged process", authctxt->user);
+ 	auth_attempted = 0;
+--- servconf.c.orig	2025-10-02 12:00:00.000000000
++++ servconf.c	2025-10-02 12:00:00.000000000
+@@ -186,6 +186,7 @@
  	options->max_sessions = -1;
  	options->banner = NULL;
  	options->use_dns = -1;
@@ -167,7 +282,7 @@
  	options->client_alive_interval = -1;
  	options->client_alive_count_max = -1;
  	options->num_authkeys_files = 0;
-@@ -410,6 +411,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -455,6 +456,8 @@
  		options->max_sessions = DEFAULT_SESSIONS_MAX;
  	if (options->use_dns == -1)
  		options->use_dns = 0;
@@ -176,15 +291,15 @@
  	if (options->client_alive_interval == -1)
  		options->client_alive_interval = 0;
  	if (options->client_alive_count_max == -1)
-@@ -506,6 +509,7 @@ typedef enum {
+@@ -563,6 +566,7 @@
  	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
  	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
  	sBanner, sUseDNS, sHostbasedAuthentication,
 +	sUseBlacklist,
  	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
  	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
- 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
-@@ -642,6 +646,8 @@ static struct {
+ 	sPerSourcePenalties, sPerSourcePenaltyExemptList,
+@@ -706,6 +710,8 @@
  	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
  	{ "banner", sBanner, SSHCFG_ALL },
  	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
@@ -193,7 +308,7 @@
  	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
  	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
  	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
-@@ -1692,6 +1698,10 @@ process_server_config_line_depth(ServerOptions *option
+@@ -1788,6 +1794,10 @@
  		intptr = &options->use_dns;
  		goto parse_flag;
  
@@ -203,8 +318,8 @@
 +
  	case sLogFacility:
  		log_facility_ptr = &options->log_facility;
- 		arg = strdelim(&cp);
-@@ -2872,6 +2882,7 @@ dump_config(ServerOptions *o)
+ 		arg = argv_next(&ac, &av);
+@@ -3276,6 +3286,7 @@
  	dump_cfg_fmtint(sCompression, o->compression);
  	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
  	dump_cfg_fmtint(sUseDNS, o->use_dns);
@@ -212,9 +327,9 @@
  	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
  	dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
  	dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
---- servconf.h.orig	2020-11-16 15:51:00.752090000 -0800
-+++ servconf.h	2020-11-16 15:51:02.962173000 -0800
-@@ -179,6 +179,7 @@ typedef struct {
+--- servconf.h.orig	2025-10-02 12:00:00.000000000
++++ servconf.h	2025-10-02 12:00:00.000000000
+@@ -195,6 +195,7 @@
  	int	max_sessions;
  	char   *banner;			/* SSH-2 banner message */
  	int	use_dns;
@@ -222,150 +337,61 @@
  	int	client_alive_interval;	/*
  					 * poke the client this often to
  					 * see if it's still there
---- auth-pam.c.orig	2020-11-16 15:52:45.816578000 -0800
-+++ auth-pam.c	2020-11-16 15:54:19.796583000 -0800
-@@ -105,6 +105,7 @@ extern char *__progname;
- #include "ssh-gss.h"
- #endif
- #include "monitor_wrap.h"
-+#include "blacklist_client.h"
- 
- extern ServerOptions options;
- extern struct sshbuf *loginmsg;
-@@ -916,6 +917,10 @@ sshpam_query(void *ctx, char **name, char **info,
- 				sshbuf_free(buffer);
- 				return (0);
- 			}
-+			/* XXX: ssh context unavailable here, unclear if this is even needed.
-+			BLACKLIST_NOTIFY(BLACKLIST_BAD_USER,
-+			    the_active_state, sshpam_authctxt->user);
-+			*/
- 			error("PAM: %s for %s%.100s from %.100s", msg,
- 			    sshpam_authctxt->valid ? "" : "illegal user ",
- 			    sshpam_authctxt->user, sshpam_rhost);
---- auth.c.orig	2020-11-16 15:52:45.824171000 -0800
-+++ auth.c	2020-11-16 15:57:51.091969000 -0800
-@@ -76,6 +76,7 @@
- #include "ssherr.h"
- #include "compat.h"
- #include "channels.h"
-+#include "blacklist_client.h"
- 
- /* import */
- extern ServerOptions options;
-@@ -331,8 +332,11 @@ auth_log(struct ssh *ssh, int authenticated, int parti
- 		authmsg = "Postponed";
- 	else if (partial)
- 		authmsg = "Partial";
--	else
-+	else {
- 		authmsg = authenticated ? "Accepted" : "Failed";
-+		if (authenticated)
-+			BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, ssh, "ssh");
-+	}
- 
- 	if ((extra = format_method_key(authctxt)) == NULL) {
- 		if (authctxt->auth_method_info != NULL)
-@@ -586,6 +590,7 @@ getpwnamallow(struct ssh *ssh, const char *user)
- 	aix_restoreauthdb();
- #endif
- 	if (pw == NULL) {
-+		BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, user);
- 		logit("Invalid user %.100s from %.100s port %d",
- 		    user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
- #ifdef CUSTOM_FAILED_LOGIN
---- auth2.c.orig	2020-11-16 17:10:36.772062000 -0800
-+++ auth2.c	2020-11-16 17:12:04.852943000 -0800
-@@ -58,6 +58,7 @@
- #include "monitor_wrap.h"
- #include "digest.h"
- #include "kex.h"
-+#include "blacklist_client.h"
- 
- /* import */
- extern ServerOptions options;
-@@ -295,6 +296,7 @@ input_userauth_request(int type, u_int32_t seq, struct
- 		} else {
- 			/* Invalid user, fake password information */
- 			authctxt->pw = fakepw();
-+			BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, "ssh");
- #ifdef SSH_AUDIT_EVENTS
- 			PRIVSEP(audit_event(ssh, SSH_INVALID_USER));
- #endif
-@@ -448,8 +450,10 @@ userauth_finish(struct ssh *ssh, int authenticated, co
- 	} else {
- 		/* Allow initial try of "none" auth without failure penalty */
- 		if (!partial && !authctxt->server_caused_failure &&
--		    (authctxt->attempt > 1 || strcmp(method, "none") != 0))
-+		    (authctxt->attempt > 1 || strcmp(method, "none") != 0)) {
- 			authctxt->failures++;
-+			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
-+		}
- 		if (authctxt->failures >= options.max_authtries) {
- #ifdef SSH_AUDIT_EVENTS
- 			PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES));
---- packet.c.orig	2020-11-16 15:52:45.839070000 -0800
-+++ packet.c	2020-11-16 15:56:09.285418000 -0800
-@@ -96,6 +96,7 @@
- #include "packet.h"
- #include "ssherr.h"
- #include "sshbuf.h"
-+#include "blacklist_client.h"
- 
- #ifdef PACKET_DEBUG
- #define DBG(x) x
-@@ -1882,6 +1883,7 @@ sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt,
- 	case SSH_ERR_NO_KEX_ALG_MATCH:
- 	case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
- 		if (ssh->kex && ssh->kex->failed_choice) {
-+			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
- 			ssh_packet_clear_keys(ssh);
- 			errno = oerrno;
- 			logdie("Unable to negotiate with %s: %s. "
---- sshd.c.orig	2021-08-19 21:03:49.000000000 -0700
-+++ sshd.c	2021-09-10 10:37:17.926747000 -0700
-@@ -123,6 +123,7 @@
- #include "version.h"
- #include "ssherr.h"
+--- sshd-session.c.orig	2025-10-02 12:00:00.000000000
++++ sshd-session.c	2025-10-02 12:00:00.000000000
+@@ -108,6 +108,7 @@
  #include "sk-api.h"
-+#include "blacklist_client.h"
  #include "srclimit.h"
  #include "dh.h"
++#include "blacklist_client.h"
  
-@@ -2225,6 +2228,9 @@ main(int ac, char **av)
- 	if ((loginmsg = sshbuf_new()) == NULL)
- 		fatal_f("sshbuf_new failed");
- 	auth_debug_reset();
+ #ifdef LIBWRAP
+ #include <tcpd.h>
+@@ -223,6 +224,8 @@
+ static void
+ grace_alarm_handler(int sig)
+ {
++	BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL,
++	    "Grace period expired");
+ 	/*
+ 	 * Try to kill any processes that we have spawned, E.g. authorized
+ 	 * keys command helpers or privsep children.
+@@ -1206,6 +1209,8 @@
+ 	ssh_signal(SIGQUIT, SIG_DFL);
+ 	ssh_signal(SIGCHLD, SIG_DFL);
+ 	ssh_signal(SIGINT, SIG_DFL);
 +
-+	if (options.use_blacklist)
-+		BLACKLIST_INIT();
++	BLACKLIST_INIT();
  
- 	if (use_privsep) {
- 		if (privsep_preauth(ssh) == 1)
---- Makefile.in.orig	2022-10-03 07:51:42.000000000 -0700
-+++ Makefile.in	2022-10-09 10:50:06.401377000 -0700
-@@ -185,6 +185,8 @@ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(S
- FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
- 		     @UNSUPPORTED_ALGORITHMS@
+ 	/*
+ 	 * Register our connection.  This turns encryption off because we do
+@@ -1297,8 +1302,10 @@
+ 	}
  
-+LIBSSH_OBJS+=	blacklist.o
-+
- all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
+ 	if ((r = kex_exchange_identification(ssh, -1,
+-	    options.version_addendum)) != 0)
++	    options.version_addendum)) != 0) {
++		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange");
+ 		sshpkt_fatal(ssh, r, "banner exchange");
++	}
  
- $(LIBSSH_OBJS): Makefile.in config.h
---- sshd_config.orig	2020-11-16 16:57:14.276036000 -0800
-+++ sshd_config	2020-11-16 16:57:42.183846000 -0800
-@@ -94,6 +94,7 @@
- #PrintLastLog yes
- #TCPKeepAlive yes
- #PermitUserEnvironment no
-+#UseBlacklist no
- #Compression delayed
- #ClientAliveInterval 0
- #ClientAliveCountMax 3
---- sshd_config.5.orig  2023-12-18 15:59:50.000000000 +0100
-+++ sshd_config.5       2024-01-06 16:36:17.025742000 +0100
-@@ -1855,6 +1855,20 @@ This option may be useful in conjunction with
+ 	ssh_packet_set_nonblocking(ssh);
+ 
+@@ -1443,7 +1450,10 @@
+ 		audit_event(the_active_state, SSH_CONNECTION_ABANDON);
+ #endif
+ 	/* Override default fatal exit value when auth was attempted */
+-	if (i == 255 && auth_attempted)
++	if (i == 255 && auth_attempted) {
++		BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL,
++		    "Fatal exit");
+ 		_exit(EXIT_AUTH_ATTEMPTED);
++	}
+ 	_exit(i);
+ }
+--- sshd_config.5.orig	2025-10-02 12:00:00.000000000
++++ sshd_config.5	2025-10-02 12:00:00.000000000
+@@ -2009,6 +2009,20 @@
  is to never expire connections for having no open channels.
  This option may be useful in conjunction with
  .Cm ChannelTimeout .
@@ -386,34 +412,13 @@
  .It Cm UseDNS
  Specifies whether
  .Xr sshd 8
---- monitor.c.orig	2020-11-16 17:24:03.457283000 -0800
-+++ monitor.c	2020-11-16 17:25:57.642510000 -0800
-@@ -96,6 +96,7 @@
- #include "match.h"
- #include "ssherr.h"
- #include "sk-api.h"
-+#include "blacklist_client.h"
+--- sshd_config.orig	2025-10-02 12:00:00.000000000
++++ sshd_config	2025-10-02 12:00:00.000000000
+@@ -102,6 +102,7 @@
+ #MaxStartups 10:30:100
+ #PermitTunnel no
+ #ChrootDirectory none
++#UseBlacklist no
+ #VersionAddendum none
  
- #ifdef GSSAPI
- static Gssctxt *gsscontext = NULL;
-@@ -342,8 +343,11 @@ monitor_child_preauth(struct ssh *ssh, struct monitor 
- 		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
- 			auth_log(ssh, authenticated, partial,
- 			    auth_method, auth_submethod);
--			if (!partial && !authenticated)
-+			if (!partial && !authenticated) {
- 				authctxt->failures++;
-+				BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL,
-+				    ssh, "ssh");
-+			}
- 			if (authenticated || partial) {
- 				auth2_update_session_info(authctxt,
- 				    auth_method, auth_submethod);
-@@ -1228,6 +1232,7 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct
- 	} else {
- 		/* Log failed attempt */
- 		auth_log(ssh, 0, 0, auth_method, NULL);
-+		BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
- 		free(cuser);
- 		free(chost);
- 	}
+ # no default banner path
diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn
index 412cc576fb7c..a4df93cc2186 100644
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@@ -1233,17 +1233,17 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	/*
  	 * Create a new session and process group since the 4.4BSD
  	 * setlogin() affects the entire process group.  We don't
---- work.clean/openssh-9.8p1/sshd-session.c.orig	2024-07-01 13:54:25.745441000 -0700
-+++ work/openssh-9.8p1/sshd-session.c	2024-07-01 13:54:57.335695000 -0700
-@@ -1305,7 +1305,7 @@ main(int ac, char **av)
- 		alarm(options.login_grace_time);
+--- work/openssh/sshd-session.c.orig	2025-10-11 10:19:18.935826000 -0700
++++ work/openssh/sshd-session.c	2025-10-11 10:20:11.460279000 -0700
+@@ -1281,7 +1281,7 @@ main(int ac, char **av)
+ 	}
  
  	if ((r = kex_exchange_identification(ssh, -1,
--	    options.version_addendum)) != 0)
-+	    options.version_addendum, options.hpn_disabled)) != 0)
+-	    options.version_addendum)) != 0) {
++	    options.version_addendum, options.hpn_disabled)) != 0) {
+ 		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange");
  		sshpkt_fatal(ssh, r, "banner exchange");
- 
- 	ssh_packet_set_nonblocking(ssh);
+ 	}
 --- work.clean/openssh-6.8p1/sshd_config	2015-04-01 22:07:18.248858000 -0500
 +++ work/openssh-6.8p1/sshd_config	2015-04-01 22:16:49.932279000 -0500
 @@ -111,6 +111,20 @@ AuthorizedKeysFile	.ssh/authorized_keys
diff --git a/security/openssh-portable/files/extra-patch-no-blocklistd-hpn-glue b/security/openssh-portable/files/extra-patch-no-blocklistd-hpn-glue
new file mode 100644
index 000000000000..1059f57cc88b
--- /dev/null
+++ b/security/openssh-portable/files/extra-patch-no-blocklistd-hpn-glue
@@ -0,0 +1,27 @@
+--- sshd-session.c.orig	2025-10-11 10:16:00.048273000 -0700
++++ sshd-session.c	2025-10-11 10:16:02.937735000 -0700
+@@ -149,6 +149,12 @@ static int have_agent = 0;
+ /* Daemon's agent connection */
+ int auth_sock = -1;
+ static int have_agent = 0;
++
++/*
++ * This is compiled WITHOUT blocklistd support. This is done for patch
++ * glue in ports.
++ */
++#define BLACKLIST_NOTIFY(...)
+ 
+ /*
+  * Any really sensitive data in the application is contained in this
+@@ -1275,8 +1281,10 @@ main(int ac, char **av)
+ 	}
+ 
+ 	if ((r = kex_exchange_identification(ssh, -1,
+-	    options.version_addendum)) != 0)
++	    options.version_addendum)) != 0) {
++		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange");
+ 		sshpkt_fatal(ssh, r, "banner exchange");
++	}
+ 
+ 	ssh_packet_set_nonblocking(ssh);
+