4 files changed, 241 insertions, 201 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index a92ec62232d3..d8be89255105 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	openssh
 DISTVERSION=	10.1p1
-PORTREVISION=	4
+PORTREVISION=	5
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -43,7 +43,7 @@ gssapi_PKGNAMESUFFIX=		-portable-gssapi
 OPTIONS_DEFINE=		DOCS PAM TCP_WRAPPERS LIBEDIT BSM \
 			HPN KERB_GSSAPI \
 			LDNS NONECIPHER XMSS FIDO_U2F BLACKLISTD
-OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS LDNS FIDO_U2F
+OPTIONS_DEFAULT=	BLACKLISTD LIBEDIT PAM TCP_WRAPPERS LDNS FIDO_U2F
 .if ${FLAVOR:U} == hpn
 OPTIONS_DEFAULT+=	HPN NONECIPHER
 .endif
@@ -100,6 +100,14 @@ ETCDIR?=		${PREFIX}/etc/ssh
 PATCH_SITES+=	http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex
 
 # Must add this patch before HPN due to conflicts
+.if !${PORT_OPTIONS:MBLACKLISTD}
+.  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
+# Needed glue for applying HPN patch without conflict
+EXTRA_PATCHES+=	${FILESDIR}/extra-patch-no-blocklistd-hpn-glue
+.  endif
+.endif
+
+# Must add this patch before HPN due to conflicts
 .if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi
 # BROKEN=	KERB_GSSAPI No patch for ${DISTVERSION} yet.
 .  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
diff --git a/security/openssh-portable/files/extra-patch-blacklistd b/security/openssh-portable/files/extra-patch-blacklistd
index a7145e42ce9b..3118103c5d74 100644
--- a/security/openssh-portable/files/extra-patch-blacklistd
+++ b/security/openssh-portable/files/extra-patch-blacklistd
@@ -1,9 +1,80 @@
---- blacklist.c.orig	2021-04-28 13:37:52.679784000 -0700
-+++ blacklist.c	2021-04-28 13:56:45.677805000 -0700
-@@ -0,0 +1,92 @@
+--- Makefile.in.orig	2025-10-02 12:00:00.000000000
++++ Makefile.in	2025-10-02 12:00:00.000000000
+@@ -208,6 +208,8 @@
+ FIXPATHSCMD	= $(SED) $(PATHSUBS)
+ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
+ 		     @UNSUPPORTED_ALGORITHMS@
++
++LIBSSH_OBJS+=	blacklist.o
+ 
+ all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
+ 
+--- auth-pam.c.orig	2025-10-02 12:00:00.000000000
++++ auth-pam.c	2025-10-02 12:00:00.000000000
+@@ -101,6 +101,7 @@
+ #endif
+ #include "monitor_wrap.h"
+ #include "srclimit.h"
++#include "blacklist_client.h"
+ 
+ extern ServerOptions options;
+ extern struct sshbuf *loginmsg;
+@@ -936,6 +937,8 @@
+ 				sshbuf_free(buffer);
+ 				return (0);
+ 			}
++			BLACKLIST_NOTIFY(NULL, BLACKLIST_AUTH_FAIL,
++			    "PAM illegal user");
+ 			error("PAM: %s for %s%.100s from %.100s", msg,
+ 			    sshpam_authctxt->valid ? "" : "illegal user ",
+ 			    sshpam_authctxt->user, sshpam_rhost);
+--- auth.c.orig	2025-10-02 12:00:00.000000000
++++ auth.c	2025-10-02 12:00:00.000000000
+@@ -75,6 +75,7 @@
+ #include "monitor_wrap.h"
+ #include "ssherr.h"
+ #include "channels.h"
++#include "blacklist_client.h"
+ 
+ /* import */
+ extern ServerOptions options;
+@@ -285,8 +286,12 @@
+ 		authmsg = "Postponed";
+ 	else if (partial)
+ 		authmsg = "Partial";
+-	else
++	else {
+ 		authmsg = authenticated ? "Accepted" : "Failed";
++		if (authenticated)
++			BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK,
++			    "Authenticated");
++	}
+ 
+ 	if ((extra = format_method_key(authctxt)) == NULL) {
+ 		if (authctxt->auth_method_info != NULL)
+@@ -334,6 +339,7 @@
+ {
+ 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
+ 
++	BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Maximum attempts exceeded");
+ 	error("maximum authentication attempts exceeded for "
+ 	    "%s%.100s from %.200s port %d ssh2",
+ 	    authctxt->valid ? "" : "invalid user ",
+@@ -494,6 +500,8 @@
+ 	aix_restoreauthdb();
+ #endif
+ 	if (pw == NULL) {
++		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
++		    "Invalid user");
+ 		logit("Invalid user %.100s from %.100s port %d",
+ 		    user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
+ #ifdef CUSTOM_FAILED_LOGIN
+--- blacklist.c.orig	2025-10-02 12:00:00.000000000
++++ blacklist.c	2025-10-02 12:00:00.000000000
+@@ -0,0 +1,97 @@
 +/*-
 + * Copyright (c) 2015 The NetBSD Foundation, Inc.
-+ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
++ * Copyright (c) 2016 The FreeBSD Foundation
 + * All rights reserved.
 + *
 + * Portions of this software were developed by Kurt Lidl
@@ -48,11 +119,15 @@
 +#include "packet.h"
 +#include "log.h"
 +#include "misc.h"
++#include "servconf.h"
 +#include <blacklist.h>
 +#include "blacklist_client.h"
 +
 +static struct blacklist *blstate = NULL;
 +
++/* import */
++extern ServerOptions options;
++
 +/* internal definition from bl.h */
 +struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list));
 +
@@ -82,23 +157,24 @@
 +blacklist_init(void)
 +{
 +
-+	blstate = bl_create(false, NULL, im_log);
++	if (options.use_blacklist)
++		blstate = bl_create(false, NULL, im_log);
 +}
 +
 +void
-+blacklist_notify(int action, struct ssh *ssh, const char *msg)
++blacklist_notify(struct ssh *ssh, int action, const char *msg)
 +{
 +
 +	if (blstate != NULL && ssh_packet_connection_is_on_socket(ssh))
 +		(void)blacklist_r(blstate, action,
 +		ssh_packet_get_connection_in(ssh), msg);
 +}
---- blacklist_client.h.orig	2020-11-16 16:45:22.823087000 -0800
-+++ blacklist_client.h	2020-11-16 16:45:09.761962000 -0800
+--- blacklist_client.h.orig	2025-10-02 12:00:00.000000000
++++ blacklist_client.h	2025-10-02 12:00:00.000000000
 @@ -0,0 +1,61 @@
 +/*-
 + * Copyright (c) 2015 The NetBSD Foundation, Inc.
-+ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
++ * Copyright (c) 2016 The FreeBSD Foundation
 + * All rights reserved.
 + *
 + * Portions of this software were developed by Kurt Lidl
@@ -143,23 +219,62 @@
 +
 +#ifdef USE_BLACKLIST
 +void blacklist_init(void);
-+void blacklist_notify(int, struct ssh *, const char *);
++void blacklist_notify(struct ssh *, int, const char *);
 +
 +#define BLACKLIST_INIT() blacklist_init()
-+#define BLACKLIST_NOTIFY(x, ssh, msg) blacklist_notify(x, ssh, msg)
++#define BLACKLIST_NOTIFY(ssh,x,msg) blacklist_notify(ssh,x,msg)
 +
 +#else
 +
 +#define BLACKLIST_INIT()
-+#define BLACKLIST_NOTIFY(x, ssh, msg)
++#define BLACKLIST_NOTIFY(ssh,x,msg)
 +
 +#endif
 +
 +
 +#endif /* BLACKLIST_CLIENT_H */
---- servconf.c.orig	2021-04-15 20:55:25.000000000 -0700
-+++ servconf.c	2021-04-28 13:36:19.591999000 -0700
-@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions *options)
+--- monitor.c.orig	2025-10-02 12:00:00.000000000
++++ monitor.c	2025-10-02 12:00:00.000000000
+@@ -85,6 +85,8 @@
+ #include "misc.h"
+ #include "servconf.h"
+ #include "monitor.h"
++#include "blacklist_client.h"
++
+ #ifdef GSSAPI
+ #include "ssh-gss.h"
+ #endif
+@@ -353,16 +355,24 @@
+ 			}
+ 		}
+ 		if (authctxt->failures > options.max_authtries) {
++			BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
++			    "Too many authentication attempts");
+ 			/* Shouldn't happen */
+ 			fatal_f("privsep child made too many authentication "
+ 			    "attempts");
+ 		}
+ 	}
+ 
+-	if (!authctxt->valid)
+-		fatal_f("authenticated invalid user");
+-	if (strcmp(auth_method, "unknown") == 0)
++	if (!authctxt->valid) {
++		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
++		    "Authenticated invalid user");
++		fatal_f("authenticated invalid user");
++	}
++	if (strcmp(auth_method, "unknown") == 0) {
++		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
++		    "Authentication method name unknown");
+ 		fatal_f("authentication method name unknown");
++	}
+ 
+ 	debug_f("user %s authenticated by privileged process", authctxt->user);
+ 	auth_attempted = 0;
+--- servconf.c.orig	2025-10-02 12:00:00.000000000
++++ servconf.c	2025-10-02 12:00:00.000000000
+@@ -186,6 +186,7 @@
  	options->max_sessions = -1;
  	options->banner = NULL;
  	options->use_dns = -1;
@@ -167,7 +282,7 @@
  	options->client_alive_interval = -1;
  	options->client_alive_count_max = -1;
  	options->num_authkeys_files = 0;
-@@ -410,6 +411,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -455,6 +456,8 @@
  		options->max_sessions = DEFAULT_SESSIONS_MAX;
  	if (options->use_dns == -1)
  		options->use_dns = 0;
@@ -176,15 +291,15 @@
  	if (options->client_alive_interval == -1)
  		options->client_alive_interval = 0;
  	if (options->client_alive_count_max == -1)
-@@ -506,6 +509,7 @@ typedef enum {
+@@ -563,6 +566,7 @@
  	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
  	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
  	sBanner, sUseDNS, sHostbasedAuthentication,
 +	sUseBlacklist,
  	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
  	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
- 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
-@@ -642,6 +646,8 @@ static struct {
+ 	sPerSourcePenalties, sPerSourcePenaltyExemptList,
+@@ -706,6 +710,8 @@
  	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
  	{ "banner", sBanner, SSHCFG_ALL },
  	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
@@ -193,7 +308,7 @@
  	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
  	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
  	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
-@@ -1692,6 +1698,10 @@ process_server_config_line_depth(ServerOptions *option
+@@ -1788,6 +1794,10 @@
  		intptr = &options->use_dns;
  		goto parse_flag;
  
@@ -203,8 +318,8 @@
 +
  	case sLogFacility:
  		log_facility_ptr = &options->log_facility;
- 		arg = strdelim(&cp);
-@@ -2872,6 +2882,7 @@ dump_config(ServerOptions *o)
+ 		arg = argv_next(&ac, &av);
+@@ -3276,6 +3286,7 @@
  	dump_cfg_fmtint(sCompression, o->compression);
  	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
  	dump_cfg_fmtint(sUseDNS, o->use_dns);
@@ -212,9 +327,9 @@
  	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
  	dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
  	dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
---- servconf.h.orig	2020-11-16 15:51:00.752090000 -0800
-+++ servconf.h	2020-11-16 15:51:02.962173000 -0800
-@@ -179,6 +179,7 @@ typedef struct {
+--- servconf.h.orig	2025-10-02 12:00:00.000000000
++++ servconf.h	2025-10-02 12:00:00.000000000
+@@ -195,6 +195,7 @@
  	int	max_sessions;
  	char   *banner;			/* SSH-2 banner message */
  	int	use_dns;
@@ -222,150 +337,61 @@
  	int	client_alive_interval;	/*
  					 * poke the client this often to
  					 * see if it's still there
---- auth-pam.c.orig	2020-11-16 15:52:45.816578000 -0800
-+++ auth-pam.c	2020-11-16 15:54:19.796583000 -0800
-@@ -105,6 +105,7 @@ extern char *__progname;
- #include "ssh-gss.h"
- #endif
- #include "monitor_wrap.h"
-+#include "blacklist_client.h"
- 
- extern ServerOptions options;
- extern struct sshbuf *loginmsg;
-@@ -916,6 +917,10 @@ sshpam_query(void *ctx, char **name, char **info,
- 				sshbuf_free(buffer);
- 				return (0);
- 			}
-+			/* XXX: ssh context unavailable here, unclear if this is even needed.
-+			BLACKLIST_NOTIFY(BLACKLIST_BAD_USER,
-+			    the_active_state, sshpam_authctxt->user);
-+			*/
- 			error("PAM: %s for %s%.100s from %.100s", msg,
- 			    sshpam_authctxt->valid ? "" : "illegal user ",
- 			    sshpam_authctxt->user, sshpam_rhost);
---- auth.c.orig	2020-11-16 15:52:45.824171000 -0800
-+++ auth.c	2020-11-16 15:57:51.091969000 -0800
-@@ -76,6 +76,7 @@
- #include "ssherr.h"
- #include "compat.h"
- #include "channels.h"
-+#include "blacklist_client.h"
- 
- /* import */
- extern ServerOptions options;
-@@ -331,8 +332,11 @@ auth_log(struct ssh *ssh, int authenticated, int parti
- 		authmsg = "Postponed";
- 	else if (partial)
- 		authmsg = "Partial";
--	else
-+	else {
- 		authmsg = authenticated ? "Accepted" : "Failed";
-+		if (authenticated)
-+			BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, ssh, "ssh");
-+	}
- 
- 	if ((extra = format_method_key(authctxt)) == NULL) {
- 		if (authctxt->auth_method_info != NULL)
-@@ -586,6 +590,7 @@ getpwnamallow(struct ssh *ssh, const char *user)
- 	aix_restoreauthdb();
- #endif
- 	if (pw == NULL) {
-+		BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, user);
- 		logit("Invalid user %.100s from %.100s port %d",
- 		    user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
- #ifdef CUSTOM_FAILED_LOGIN
---- auth2.c.orig	2020-11-16 17:10:36.772062000 -0800
-+++ auth2.c	2020-11-16 17:12:04.852943000 -0800
-@@ -58,6 +58,7 @@
- #include "monitor_wrap.h"
- #include "digest.h"
- #include "kex.h"
-+#include "blacklist_client.h"
- 
- /* import */
- extern ServerOptions options;
-@@ -295,6 +296,7 @@ input_userauth_request(int type, u_int32_t seq, struct
- 		} else {
- 			/* Invalid user, fake password information */
- 			authctxt->pw = fakepw();
-+			BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, ssh, "ssh");
- #ifdef SSH_AUDIT_EVENTS
- 			PRIVSEP(audit_event(ssh, SSH_INVALID_USER));
- #endif
-@@ -448,8 +450,10 @@ userauth_finish(struct ssh *ssh, int authenticated, co
- 	} else {
- 		/* Allow initial try of "none" auth without failure penalty */
- 		if (!partial && !authctxt->server_caused_failure &&
--		    (authctxt->attempt > 1 || strcmp(method, "none") != 0))
-+		    (authctxt->attempt > 1 || strcmp(method, "none") != 0)) {
- 			authctxt->failures++;
-+			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
-+		}
- 		if (authctxt->failures >= options.max_authtries) {
- #ifdef SSH_AUDIT_EVENTS
- 			PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES));
---- packet.c.orig	2020-11-16 15:52:45.839070000 -0800
-+++ packet.c	2020-11-16 15:56:09.285418000 -0800
-@@ -96,6 +96,7 @@
- #include "packet.h"
- #include "ssherr.h"
- #include "sshbuf.h"
-+#include "blacklist_client.h"
- 
- #ifdef PACKET_DEBUG
- #define DBG(x) x
-@@ -1882,6 +1883,7 @@ sshpkt_vfatal(struct ssh *ssh, int r, const char *fmt,
- 	case SSH_ERR_NO_KEX_ALG_MATCH:
- 	case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
- 		if (ssh->kex && ssh->kex->failed_choice) {
-+			BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
- 			ssh_packet_clear_keys(ssh);
- 			errno = oerrno;
- 			logdie("Unable to negotiate with %s: %s. "
---- sshd.c.orig	2021-08-19 21:03:49.000000000 -0700
-+++ sshd.c	2021-09-10 10:37:17.926747000 -0700
-@@ -123,6 +123,7 @@
- #include "version.h"
- #include "ssherr.h"
+--- sshd-session.c.orig	2025-10-02 12:00:00.000000000
++++ sshd-session.c	2025-10-02 12:00:00.000000000
+@@ -108,6 +108,7 @@
  #include "sk-api.h"
-+#include "blacklist_client.h"
  #include "srclimit.h"
  #include "dh.h"
++#include "blacklist_client.h"
  
-@@ -2225,6 +2228,9 @@ main(int ac, char **av)
- 	if ((loginmsg = sshbuf_new()) == NULL)
- 		fatal_f("sshbuf_new failed");
- 	auth_debug_reset();
+ #ifdef LIBWRAP
+ #include <tcpd.h>
+@@ -223,6 +224,8 @@
+ static void
+ grace_alarm_handler(int sig)
+ {
++	BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL,
++	    "Grace period expired");
+ 	/*
+ 	 * Try to kill any processes that we have spawned, E.g. authorized
+ 	 * keys command helpers or privsep children.
+@@ -1206,6 +1209,8 @@
+ 	ssh_signal(SIGQUIT, SIG_DFL);
+ 	ssh_signal(SIGCHLD, SIG_DFL);
+ 	ssh_signal(SIGINT, SIG_DFL);
 +
-+	if (options.use_blacklist)
-+		BLACKLIST_INIT();
++	BLACKLIST_INIT();
  
- 	if (use_privsep) {
- 		if (privsep_preauth(ssh) == 1)
---- Makefile.in.orig	2022-10-03 07:51:42.000000000 -0700
-+++ Makefile.in	2022-10-09 10:50:06.401377000 -0700
-@@ -185,6 +185,8 @@ FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(S
- FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
- 		     @UNSUPPORTED_ALGORITHMS@
+ 	/*
+ 	 * Register our connection.  This turns encryption off because we do
+@@ -1297,8 +1302,10 @@
+ 	}
  
-+LIBSSH_OBJS+=	blacklist.o
-+
- all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
+ 	if ((r = kex_exchange_identification(ssh, -1,
+-	    options.version_addendum)) != 0)
++	    options.version_addendum)) != 0) {
++		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange");
+ 		sshpkt_fatal(ssh, r, "banner exchange");
++	}
  
- $(LIBSSH_OBJS): Makefile.in config.h
---- sshd_config.orig	2020-11-16 16:57:14.276036000 -0800
-+++ sshd_config	2020-11-16 16:57:42.183846000 -0800
-@@ -94,6 +94,7 @@
- #PrintLastLog yes
- #TCPKeepAlive yes
- #PermitUserEnvironment no
-+#UseBlacklist no
- #Compression delayed
- #ClientAliveInterval 0
- #ClientAliveCountMax 3
---- sshd_config.5.orig  2023-12-18 15:59:50.000000000 +0100
-+++ sshd_config.5       2024-01-06 16:36:17.025742000 +0100
-@@ -1855,6 +1855,20 @@ This option may be useful in conjunction with
+ 	ssh_packet_set_nonblocking(ssh);
+ 
+@@ -1443,7 +1450,10 @@
+ 		audit_event(the_active_state, SSH_CONNECTION_ABANDON);
+ #endif
+ 	/* Override default fatal exit value when auth was attempted */
+-	if (i == 255 && auth_attempted)
++	if (i == 255 && auth_attempted) {
++		BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL,
++		    "Fatal exit");
+ 		_exit(EXIT_AUTH_ATTEMPTED);
++	}
+ 	_exit(i);
+ }
+--- sshd_config.5.orig	2025-10-02 12:00:00.000000000
++++ sshd_config.5	2025-10-02 12:00:00.000000000
+@@ -2009,6 +2009,20 @@
  is to never expire connections for having no open channels.
  This option may be useful in conjunction with
  .Cm ChannelTimeout .
@@ -386,34 +412,13 @@
  .It Cm UseDNS
  Specifies whether
  .Xr sshd 8
---- monitor.c.orig	2020-11-16 17:24:03.457283000 -0800
-+++ monitor.c	2020-11-16 17:25:57.642510000 -0800
-@@ -96,6 +96,7 @@
- #include "match.h"
- #include "ssherr.h"
- #include "sk-api.h"
-+#include "blacklist_client.h"
+--- sshd_config.orig	2025-10-02 12:00:00.000000000
++++ sshd_config	2025-10-02 12:00:00.000000000
+@@ -102,6 +102,7 @@
+ #MaxStartups 10:30:100
+ #PermitTunnel no
+ #ChrootDirectory none
++#UseBlacklist no
+ #VersionAddendum none
  
- #ifdef GSSAPI
- static Gssctxt *gsscontext = NULL;
-@@ -342,8 +343,11 @@ monitor_child_preauth(struct ssh *ssh, struct monitor 
- 		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
- 			auth_log(ssh, authenticated, partial,
- 			    auth_method, auth_submethod);
--			if (!partial && !authenticated)
-+			if (!partial && !authenticated) {
- 				authctxt->failures++;
-+				BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL,
-+				    ssh, "ssh");
-+			}
- 			if (authenticated || partial) {
- 				auth2_update_session_info(authctxt,
- 				    auth_method, auth_submethod);
-@@ -1228,6 +1232,7 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct
- 	} else {
- 		/* Log failed attempt */
- 		auth_log(ssh, 0, 0, auth_method, NULL);
-+		BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, ssh, "ssh");
- 		free(cuser);
- 		free(chost);
- 	}
+ # no default banner path
diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn
index 412cc576fb7c..a4df93cc2186 100644
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@@ -1233,17 +1233,17 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	/*
  	 * Create a new session and process group since the 4.4BSD
  	 * setlogin() affects the entire process group.  We don't
---- work.clean/openssh-9.8p1/sshd-session.c.orig	2024-07-01 13:54:25.745441000 -0700
-+++ work/openssh-9.8p1/sshd-session.c	2024-07-01 13:54:57.335695000 -0700
-@@ -1305,7 +1305,7 @@ main(int ac, char **av)
- 		alarm(options.login_grace_time);
+--- work/openssh/sshd-session.c.orig	2025-10-11 10:19:18.935826000 -0700
++++ work/openssh/sshd-session.c	2025-10-11 10:20:11.460279000 -0700
+@@ -1281,7 +1281,7 @@ main(int ac, char **av)
+ 	}
  
  	if ((r = kex_exchange_identification(ssh, -1,
--	    options.version_addendum)) != 0)
-+	    options.version_addendum, options.hpn_disabled)) != 0)
+-	    options.version_addendum)) != 0) {
++	    options.version_addendum, options.hpn_disabled)) != 0) {
+ 		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange");
  		sshpkt_fatal(ssh, r, "banner exchange");
- 
- 	ssh_packet_set_nonblocking(ssh);
+ 	}
 --- work.clean/openssh-6.8p1/sshd_config	2015-04-01 22:07:18.248858000 -0500
 +++ work/openssh-6.8p1/sshd_config	2015-04-01 22:16:49.932279000 -0500
 @@ -111,6 +111,20 @@ AuthorizedKeysFile	.ssh/authorized_keys
diff --git a/security/openssh-portable/files/extra-patch-no-blocklistd-hpn-glue b/security/openssh-portable/files/extra-patch-no-blocklistd-hpn-glue
new file mode 100644
index 000000000000..1059f57cc88b
--- /dev/null
+++ b/security/openssh-portable/files/extra-patch-no-blocklistd-hpn-glue
@@ -0,0 +1,27 @@
+--- sshd-session.c.orig	2025-10-11 10:16:00.048273000 -0700
++++ sshd-session.c	2025-10-11 10:16:02.937735000 -0700
+@@ -149,6 +149,12 @@ static int have_agent = 0;
+ /* Daemon's agent connection */
+ int auth_sock = -1;
+ static int have_agent = 0;
++
++/*
++ * This is compiled WITHOUT blocklistd support. This is done for patch
++ * glue in ports.
++ */
++#define BLACKLIST_NOTIFY(...)
+ 
+ /*
+  * Any really sensitive data in the application is contained in this
+@@ -1275,8 +1281,10 @@ main(int ac, char **av)
+ 	}
+ 
+ 	if ((r = kex_exchange_identification(ssh, -1,
+-	    options.version_addendum)) != 0)
++	    options.version_addendum)) != 0) {
++		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange");
+ 		sshpkt_fatal(ssh, r, "banner exchange");
++	}
+ 
+ 	ssh_packet_set_nonblocking(ssh);
+