3 files changed, 18 insertions, 16 deletions

diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 352394002f30..8743a7918853 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	openssh
 DISTVERSION=	10.1p1
-PORTREVISION=	2
+PORTREVISION=	3
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -101,20 +101,20 @@ PATCH_SITES+=	http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex
 
 # Must add this patch before HPN due to conflicts
 .if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi
-BROKEN=	KERB_GSSAPI No patch for ${DISTVERSION} yet.
+# BROKEN=	KERB_GSSAPI No patch for ${DISTVERSION} yet.
 .  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 # Needed glue for applying HPN patch without conflict
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-hpn-gss-glue
 .  endif
 # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to
 # pull from.
-GSSAPI_DEBIAN_VERSION=	10.0p1
-GSSAPI_DEBIAN_SUBDIR=	${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-8
+GSSAPI_DEBIAN_VERSION=	10.1p1
+GSSAPI_DEBIAN_SUBDIR=	${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-1
 # - Debian does not use a versioned filename so we trick fetch to make one for
 # us with the ?<anything>=/ trick.
 PATCH_SITES+=	https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex
 # Bump this when updating the patch location
-GSSAPI_DISTVERSION=	10.0p1
+GSSAPI_DISTVERSION=	10.1p1
 PATCHFILES+=	openssh-${GSSAPI_DISTVERSION:U${DISTVERSION}}-gsskex-all-debian-rh-${GSSAPI_DISTVERSION}.patch:-p1:gsskex
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-kexgssc.c
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-gssapi-kexgsss.c
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index 20ed1e88abef..cef52e80ff85 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,3 +1,5 @@
-TIMESTAMP = 1759763325
+TIMESTAMP = 1759963002
 SHA256 (openssh-10.1p1.tar.gz) = b9fc7a2b82579467a6f2f43e4a81c8e1dfda614ddb4f9b255aafd7020bbf0758
 SIZE (openssh-10.1p1.tar.gz) = 1972831
+SHA256 (openssh-10.1p1-gsskex-all-debian-rh-10.1p1.patch) = b46e798092ea4e0653ea5e124b10a881f58b2e78a16b3e46475c52c39b725874
+SIZE (openssh-10.1p1-gsskex-all-debian-rh-10.1p1.patch) = 126336
diff --git a/security/openssh-portable/files/extra-patch-hpn-gss-glue b/security/openssh-portable/files/extra-patch-hpn-gss-glue
index 57b47e8b023a..3924a57f9d67 100644
--- a/security/openssh-portable/files/extra-patch-hpn-gss-glue
+++ b/security/openssh-portable/files/extra-patch-hpn-gss-glue
@@ -22,9 +22,9 @@
  	if (options.gss_keyex) {
  		/* Add the GSSAPI mechanisms currently supported on this
  		 * client to the key exchange algorithm proposal */
---- readconf.c.orig	2019-07-19 12:13:18.000312000 -0700
-+++ readconf.c	2019-07-19 12:13:29.614552000 -0700
-@@ -63,11 +63,11 @@
+--- readconf.c.orig	2025-10-08 15:36:47.220504000 -0700
++++ readconf.c	2025-10-08 15:38:09.729314000 -0700
+@@ -60,11 +60,11 @@
  #include "readconf.h"
  #include "match.h"
  #include "kex.h"
@@ -34,12 +34,12 @@
  #include "myproposal.h"
  #include "digest.h"
 -#include "ssh-gss.h"
+ #include "version.h"
  
  /* Format of the configuration file:
- 
---- servconf.c.orig	2019-07-19 12:14:42.078398000 -0700
-+++ servconf.c	2019-07-19 12:14:43.543687000 -0700
-@@ -54,6 +54,7 @@
+--- servconf.c.orig	2025-10-08 15:36:47.223017000 -0700
++++ servconf.c	2025-10-08 15:38:32.182178000 -0700
+@@ -56,6 +56,7 @@
  #include "sshkey.h"
  #include "kex.h"
  #include "mac.h"
@@ -47,11 +47,11 @@
  #include "match.h"
  #include "channels.h"
  #include "groupaccess.h"
-@@ -64,7 +65,6 @@
+@@ -66,7 +67,6 @@
  #include "auth.h"
  #include "myproposal.h"
  #include "digest.h"
 -#include "ssh-gss.h"
+ #include "version.h"
  
- static void add_listen_addr(ServerOptions *, const char *,
-     const char *, int);
+ #if !defined(SSHD_PAM_SERVICE)