78 files changed, 1382 insertions, 144 deletions

diff --git a/app-admin/clustershell/clustershell-1.9.ebuild b/app-admin/clustershell/clustershell-1.9-r1.ebuild
index 70fb3e30d7c4..3db2252a56af 100644
--- a/app-admin/clustershell/clustershell-1.9.ebuild
+++ b/app-admin/clustershell/clustershell-1.9-r1.ebuild
@@ -23,7 +23,7 @@ KEYWORDS="amd64 ~x86"
 BDEPEND="
 	test? (
 		app-shells/pdsh
-		net-misc/openssh
+		virtual/openssh
 		sys-devel/bc
 	)
 "
diff --git a/app-admin/clustershell/clustershell-1.9.1.ebuild b/app-admin/clustershell/clustershell-1.9.1-r1.ebuild
index c76aac7a51c5..35edb6bc3fb3 100644
--- a/app-admin/clustershell/clustershell-1.9.1.ebuild
+++ b/app-admin/clustershell/clustershell-1.9.1-r1.ebuild
@@ -23,7 +23,7 @@ KEYWORDS="amd64 ~x86"
 BDEPEND="
 	test? (
 		app-shells/pdsh
-		net-misc/openssh
+		virtual/openssh
 		sys-devel/bc
 	)
 "
diff --git a/app-admin/lnav/lnav-0.11.1-r1.ebuild b/app-admin/lnav/lnav-0.11.1-r2.ebuild
index 5889cf19ccf9..18fee38a20e9 100644
--- a/app-admin/lnav/lnav-0.11.1-r1.ebuild
+++ b/app-admin/lnav/lnav-0.11.1-r2.ebuild
@@ -28,7 +28,7 @@ RDEPEND="
 # The tests use ssh-keygen and use dsa and rsa keys (which is why ssl is required)
 DEPEND="${RDEPEND}
 	test? (
-		net-misc/openssh[ssl]
+		virtual/openssh[ssl]
 		dev-cpp/doctest
 	)"
 
diff --git a/app-backup/amanda/amanda-3.5.1-r4.ebuild b/app-backup/amanda/amanda-3.5.1-r5.ebuild
index af53d4e00d12..77330631d602 100644
--- a/app-backup/amanda/amanda-3.5.1-r4.ebuild
+++ b/app-backup/amanda/amanda-3.5.1-r5.ebuild
@@ -23,7 +23,7 @@ DEPEND="
 	dev-lang/perl:=
 	dev-perl/Encode-Locale
 	dev-perl/JSON
-	net-misc/openssh
+	virtual/openssh
 	sys-libs/readline:=
 	app-alternatives/awk
 	kerberos? ( app-crypt/mit-krb5 )
diff --git a/app-backup/backintime/backintime-1.3.2.ebuild b/app-backup/backintime/backintime-1.3.2-r1.ebuild
index a35a72e17754..6eb50a6b1a7d 100644
--- a/app-backup/backintime/backintime-1.3.2.ebuild
+++ b/app-backup/backintime/backintime-1.3.2-r1.ebuild
@@ -23,7 +23,7 @@ DEPEND="${PYTHON_DEPS}
 		dev-python/keyring[${PYTHON_USEDEP}]
 	')"
 RDEPEND="${DEPEND}
-	net-misc/openssh
+	virtual/openssh
 	net-misc/rsync[xattr,acl]
 	qt5? ( dev-python/PyQt5[gui,widgets] )"
 BDEPEND="sys-devel/gettext"
diff --git a/app-backup/backintime/backintime-1.3.3.ebuild b/app-backup/backintime/backintime-1.3.3-r1.ebuild
index a70aead66652..4168adaf8d16 100644
--- a/app-backup/backintime/backintime-1.3.3.ebuild
+++ b/app-backup/backintime/backintime-1.3.3-r1.ebuild
@@ -33,7 +33,7 @@ DEPEND="
 "
 RDEPEND="
 	${DEPEND}
-	net-misc/openssh
+	virtual/openssh
 	net-misc/rsync[xattr,acl]
 	qt5? ( dev-python/PyQt5[gui,widgets] )
 "
diff --git a/app-backup/backintime/backintime-9999.ebuild b/app-backup/backintime/backintime-9999.ebuild
index f5d3483dd04a..70b61fb635db 100644
--- a/app-backup/backintime/backintime-9999.ebuild
+++ b/app-backup/backintime/backintime-9999.ebuild
@@ -33,7 +33,7 @@ DEPEND="
 "
 RDEPEND="
 	${DEPEND}
-	net-misc/openssh
+	virtual/openssh
 	net-misc/rsync[xattr,acl]
 	qt5? ( dev-python/PyQt5[gui,widgets] )
 "
diff --git a/app-backup/btrbk/btrbk-0.31.2.ebuild b/app-backup/btrbk/btrbk-0.31.2-r1.ebuild
index 2c8a405a719a..ea8c728c5fd7 100644
--- a/app-backup/btrbk/btrbk-0.31.2.ebuild
+++ b/app-backup/btrbk/btrbk-0.31.2-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -23,7 +23,7 @@ IUSE="+mbuffer +doc +lsbtr"
 DEPEND="doc? ( >=dev-ruby/asciidoctor-1.5.7 )"
 
 RDEPEND="dev-lang/perl
-	net-misc/openssh
+	virtual/openssh
 	mbuffer? ( >=sys-block/mbuffer-20180505 )
 	sys-fs/btrfs-progs"
 
diff --git a/app-backup/btrbk/btrbk-0.32.6.ebuild b/app-backup/btrbk/btrbk-0.32.6-r1.ebuild
index 751ed2dd6a2e..0fa19175e32b 100644
--- a/app-backup/btrbk/btrbk-0.32.6.ebuild
+++ b/app-backup/btrbk/btrbk-0.32.6-r1.ebuild
@@ -23,7 +23,7 @@ IUSE="+mbuffer +doc +lsbtr"
 DEPEND="doc? ( >=dev-ruby/asciidoctor-1.5.7 )"
 
 RDEPEND="dev-lang/perl
-	net-misc/openssh
+	virtual/openssh
 	mbuffer? ( >=sys-block/mbuffer-20180505 )
 	>=sys-fs/btrfs-progs-4.12"
 
diff --git a/app-backup/btrbk/btrbk-9999.ebuild b/app-backup/btrbk/btrbk-9999.ebuild
index f75978a45363..0fa19175e32b 100644
--- a/app-backup/btrbk/btrbk-9999.ebuild
+++ b/app-backup/btrbk/btrbk-9999.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -23,7 +23,7 @@ IUSE="+mbuffer +doc +lsbtr"
 DEPEND="doc? ( >=dev-ruby/asciidoctor-1.5.7 )"
 
 RDEPEND="dev-lang/perl
-	net-misc/openssh
+	virtual/openssh
 	mbuffer? ( >=sys-block/mbuffer-20180505 )
 	>=sys-fs/btrfs-progs-4.12"
 
diff --git a/app-backup/cdbkup/cdbkup-1.0-r4.ebuild b/app-backup/cdbkup/cdbkup-1.0-r5.ebuild
index c7d7b9066e0e..fae37cbdd39a 100644
--- a/app-backup/cdbkup/cdbkup-1.0-r4.ebuild
+++ b/app-backup/cdbkup/cdbkup-1.0-r5.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -13,7 +13,7 @@ KEYWORDS="amd64 ppc x86"
 
 DEPEND="
 	app-cdr/cdrtools
-	net-misc/openssh
+	virtual/openssh
 	sys-apps/util-linux
 "
 RDEPEND="${DEPEND}
diff --git a/app-backup/hdup/hdup-2.0.14.ebuild b/app-backup/hdup/hdup-2.0.14-r1.ebuild
index 87d941b00336..57fb577b246c 100644
--- a/app-backup/hdup/hdup-2.0.14.ebuild
+++ b/app-backup/hdup/hdup-2.0.14-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2017 Gentoo Foundation
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=6
@@ -19,7 +19,7 @@ CDEPEND="
 	>=dev-libs/glib-2.0"
 RDEPEND="
 	${CDEPEND}
-	net-misc/openssh
+	virtual/openssh
 	sys-apps/coreutils
 	sys-apps/findutils
 	crypt? ( app-crypt/mcrypt )"
diff --git a/app-backup/rsnapshot/rsnapshot-1.4.4.ebuild b/app-backup/rsnapshot/rsnapshot-1.4.4-r1.ebuild
index ae093a14dfed..7d9892a4c31b 100644
--- a/app-backup/rsnapshot/rsnapshot-1.4.4.ebuild
+++ b/app-backup/rsnapshot/rsnapshot-1.4.4-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -11,12 +11,13 @@ SLOT="0"
 LICENSE="GPL-2"
 KEYWORDS="~alpha amd64 ppc ppc64 sparc x86"
 
-RDEPEND=">=dev-lang/perl-5.8.2
-		dev-perl/Lchown
-		>=sys-apps/util-linux-2.12-r4
-		>=sys-apps/coreutils-5.0.91-r4
-		>=net-misc/openssh-3.7.1_p2-r1
-		>=net-misc/rsync-2.6.0"
+RDEPEND="
+	>=dev-lang/perl-5.8.2
+	dev-perl/Lchown
+	>=sys-apps/util-linux-2.12-r4
+	>=sys-apps/coreutils-5.0.91-r4
+	virtual/openssh
+	>=net-misc/rsync-2.6.0"
 DEPEND="${RDEPEND}"
 
 src_prepare() {
diff --git a/app-backup/rsnapshot/rsnapshot-1.4.5.ebuild b/app-backup/rsnapshot/rsnapshot-1.4.5-r1.ebuild
index 01fb77647b26..0603ae32895c 100644
--- a/app-backup/rsnapshot/rsnapshot-1.4.5.ebuild
+++ b/app-backup/rsnapshot/rsnapshot-1.4.5-r1.ebuild
@@ -15,7 +15,7 @@ RDEPEND=">=dev-lang/perl-5.8.2
 	dev-perl/Lchown
 	>=sys-apps/util-linux-2.12-r4
 	>=sys-apps/coreutils-5.0.91-r4
-	>=net-misc/openssh-3.7.1_p2-r1
+	virtual/openssh
 	>=net-misc/rsync-2.6.0"
 DEPEND="${RDEPEND}"
 
diff --git a/app-crypt/monkeysphere/monkeysphere-0.44.ebuild b/app-crypt/monkeysphere/monkeysphere-0.44-r1.ebuild
index f8a6c908946d..2b85c2210dac 100644
--- a/app-crypt/monkeysphere/monkeysphere-0.44.ebuild
+++ b/app-crypt/monkeysphere/monkeysphere-0.44-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -28,7 +28,7 @@ DEPEND="acct-group/monkeysphere
 	dev-perl/Digest-SHA1:0=
 	app-misc/lockfile-progs:0="
 RDEPEND="${DEPEND}
-	net-misc/openssh"
+	virtual/openssh"
 
 PATCHES=(
 	"${FILESDIR}"/${PN}-0.44-install-uncompressed-man-pages.patch
diff --git a/app-crypt/seahorse/seahorse-43.0-r2.ebuild b/app-crypt/seahorse/seahorse-43.0-r3.ebuild
index 54b472f9d3d2..59ddd6bbcb54 100644
--- a/app-crypt/seahorse/seahorse-43.0-r2.ebuild
+++ b/app-crypt/seahorse/seahorse-43.0-r3.ebuild
@@ -22,7 +22,7 @@ RDEPEND="
 	>=gui-libs/libhandy-1.6.0:1
 	>=app-crypt/libsecret-0.16
 	dev-libs/libpwquality
-	net-misc/openssh
+	virtual/openssh
 	ldap? ( net-nds/openldap:= )
 	net-libs/libsoup:3.0
 	zeroconf? ( >=net-dns/avahi-0.6[dbus] )
diff --git a/app-crypt/simple-tpm-pk11/simple-tpm-pk11-0.06.ebuild b/app-crypt/simple-tpm-pk11/simple-tpm-pk11-0.06-r1.ebuild
index 64abb36d4de1..6b5facd3a1c1 100644
--- a/app-crypt/simple-tpm-pk11/simple-tpm-pk11-0.06.ebuild
+++ b/app-crypt/simple-tpm-pk11/simple-tpm-pk11-0.06-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=6
@@ -26,7 +26,10 @@ DEPEND="app-crypt/tpm-tools[pkcs11]
 	dev-libs/openssl:0=
 	"
 RDEPEND="${DEPEND}
-	net-misc/openssh[-X509]"
+	|| (
+		>=net-misc/openssh-9.3_p1-r1
+		>=net-misc/openssh-contrib-9.3_p1[-X509]
+	)"
 
 src_prepare() {
 	eapply_user
diff --git a/app-shells/pdsh/pdsh-2.34-r1.ebuild b/app-shells/pdsh/pdsh-2.34-r2.ebuild
index 17f7b7136052..1d35f068cb97 100644
--- a/app-shells/pdsh/pdsh-2.34-r1.ebuild
+++ b/app-shells/pdsh/pdsh-2.34-r2.ebuild
@@ -17,7 +17,7 @@ IUSE="crypt readline rsh test"
 RESTRICT="!test? ( test )"
 
 RDEPEND="
-	crypt? ( net-misc/openssh )
+	crypt? ( virtual/openssh )
 	rsh? ( net-misc/netkit-rsh )
 	readline? ( sys-libs/readline:0= )"
 DEPEND="${RDEPEND}"
diff --git a/dev-python/twisted/twisted-22.10.0.ebuild b/dev-python/twisted/twisted-22.10.0-r1.ebuild
index 6827bc77e0a1..db9b7ce789a2 100644
--- a/dev-python/twisted/twisted-22.10.0.ebuild
+++ b/dev-python/twisted/twisted-22.10.0-r1.ebuild
@@ -64,7 +64,7 @@ BDEPEND="
 			dev-python/pyasn1[${PYTHON_USEDEP}]
 			>=dev-python/pyhamcrest-1.9.0[${PYTHON_USEDEP}]
 			>=dev-python/pyserial-3.0[${PYTHON_USEDEP}]
-			net-misc/openssh
+			virtual/openssh
 			conch? (
 				>=dev-python/bcrypt-3.0.0[${PYTHON_USEDEP}]
 				>=dev-python/cryptography-2.6[${PYTHON_USEDEP}]
diff --git a/dev-util/diffoscope/diffoscope-238.ebuild b/dev-util/diffoscope/diffoscope-238-r1.ebuild
index aed6066b3722..f4934e958eda 100644
--- a/dev-util/diffoscope/diffoscope-238.ebuild
+++ b/dev-util/diffoscope/diffoscope-238-r1.ebuild
@@ -61,7 +61,7 @@ RDEPEND="
 	rpm? ( app-arch/rpm )
 	sqlite? ( dev-db/sqlite:3 )
 	squashfs? ( sys-fs/squashfs-tools )
-	ssh? ( net-misc/openssh )
+	ssh? ( virtual/openssh )
 	tar? ( app-arch/tar )
 	tcpdump? ( net-analyzer/tcpdump )
 	zip? ( app-arch/unzip )
diff --git a/dev-util/diffoscope/diffoscope-242.ebuild b/dev-util/diffoscope/diffoscope-240-r1.ebuild
index d598e5340b57..d201f2eeaae5 100644
--- a/dev-util/diffoscope/diffoscope-242.ebuild
+++ b/dev-util/diffoscope/diffoscope-240-r1.ebuild
@@ -61,7 +61,7 @@ RDEPEND="
 	rpm? ( app-arch/rpm )
 	sqlite? ( dev-db/sqlite:3 )
 	squashfs? ( sys-fs/squashfs-tools )
-	ssh? ( net-misc/openssh )
+	ssh? ( virtual/openssh )
 	tar? ( app-arch/tar )
 	tcpdump? ( net-analyzer/tcpdump )
 	zip? ( app-arch/unzip )
diff --git a/dev-util/diffoscope/diffoscope-240.ebuild b/dev-util/diffoscope/diffoscope-241-r1.ebuild
index d598e5340b57..d201f2eeaae5 100644
--- a/dev-util/diffoscope/diffoscope-240.ebuild
+++ b/dev-util/diffoscope/diffoscope-241-r1.ebuild
@@ -61,7 +61,7 @@ RDEPEND="
 	rpm? ( app-arch/rpm )
 	sqlite? ( dev-db/sqlite:3 )
 	squashfs? ( sys-fs/squashfs-tools )
-	ssh? ( net-misc/openssh )
+	ssh? ( virtual/openssh )
 	tar? ( app-arch/tar )
 	tcpdump? ( net-analyzer/tcpdump )
 	zip? ( app-arch/unzip )
diff --git a/dev-util/diffoscope/diffoscope-241.ebuild b/dev-util/diffoscope/diffoscope-242-r1.ebuild
index d598e5340b57..d201f2eeaae5 100644
--- a/dev-util/diffoscope/diffoscope-241.ebuild
+++ b/dev-util/diffoscope/diffoscope-242-r1.ebuild
@@ -61,7 +61,7 @@ RDEPEND="
 	rpm? ( app-arch/rpm )
 	sqlite? ( dev-db/sqlite:3 )
 	squashfs? ( sys-fs/squashfs-tools )
-	ssh? ( net-misc/openssh )
+	ssh? ( virtual/openssh )
 	tar? ( app-arch/tar )
 	tcpdump? ( net-analyzer/tcpdump )
 	zip? ( app-arch/unzip )
diff --git a/gnome-base/gnome-keyring/gnome-keyring-42.1-r1.ebuild b/gnome-base/gnome-keyring/gnome-keyring-42.1-r2.ebuild
index 5b44968b21bc..a4656870452a 100644
--- a/gnome-base/gnome-keyring/gnome-keyring-42.1-r1.ebuild
+++ b/gnome-base/gnome-keyring/gnome-keyring-42.1-r2.ebuild
@@ -25,7 +25,7 @@ RDEPEND="
 	>=dev-libs/libgcrypt-1.2.2:0=
 	pam? ( sys-libs/pam )
 	selinux? ( sec-policy/selinux-gnome )
-	ssh-agent? ( net-misc/openssh )
+	ssh-agent? ( virtual/openssh )
 "
 DEPEND="${RDEPEND}"
 BDEPEND="
diff --git a/gnome-base/gvfs/gvfs-1.50.3.ebuild b/gnome-base/gvfs/gvfs-1.50.3-r1.ebuild
index d0c1114796d5..bc978a9de5c6 100644
--- a/gnome-base/gvfs/gvfs-1.50.3.ebuild
+++ b/gnome-base/gvfs/gvfs-1.50.3-r1.ebuild
@@ -68,7 +68,7 @@ RDEPEND="
 	google? ( >=dev-libs/libgdata-0.18.0:=[crypt,gnome-online-accounts] )
 	gphoto2? ( >=media-libs/libgphoto2-2.5.0:= )
 	nfs? ( >=net-fs/libnfs-1.9.8:= )
-	net-misc/openssh
+	virtual/openssh
 "
 DEPEND="${RDEPEND}"
 BDEPEND="
diff --git a/gnome-base/gvfs/gvfs-1.50.4.ebuild b/gnome-base/gvfs/gvfs-1.50.4-r1.ebuild
index b35f0d3b55c5..c856eb15aa63 100644
--- a/gnome-base/gvfs/gvfs-1.50.4.ebuild
+++ b/gnome-base/gvfs/gvfs-1.50.4-r1.ebuild
@@ -68,7 +68,7 @@ RDEPEND="
 	google? ( >=dev-libs/libgdata-0.18.0:=[crypt,gnome-online-accounts] )
 	gphoto2? ( >=media-libs/libgphoto2-2.5.0:= )
 	nfs? ( >=net-fs/libnfs-1.9.8:= )
-	net-misc/openssh
+	virtual/openssh
 "
 DEPEND="${RDEPEND}"
 BDEPEND="
diff --git a/net-analyzer/monitoring-plugins/monitoring-plugins-2.3.1-r4.ebuild b/net-analyzer/monitoring-plugins/monitoring-plugins-2.3.1-r5.ebuild
index bee2b77ec739..b0bacbb75463 100644
--- a/net-analyzer/monitoring-plugins/monitoring-plugins-2.3.1-r4.ebuild
+++ b/net-analyzer/monitoring-plugins/monitoring-plugins-2.3.1-r5.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="8"
@@ -44,7 +44,7 @@ DEPEND="${REAL_DEPEND}
 	game? ( games-util/qstat )
 	fping? ( net-analyzer/fping )
 	samba? ( net-fs/samba )
-	ssh? ( net-misc/openssh )
+	ssh? ( virtual/openssh )
 	snmp? ( dev-perl/Net-SNMP
 			net-analyzer/net-snmp[-minimal] )"
 
diff --git a/net-analyzer/monitoring-plugins/monitoring-plugins-2.3.2-r1.ebuild b/net-analyzer/monitoring-plugins/monitoring-plugins-2.3.2-r2.ebuild
index ee3f8666e960..3cea165dde1d 100644
--- a/net-analyzer/monitoring-plugins/monitoring-plugins-2.3.2-r1.ebuild
+++ b/net-analyzer/monitoring-plugins/monitoring-plugins-2.3.2-r2.ebuild
@@ -44,7 +44,7 @@ DEPEND="${REAL_DEPEND}
 	game? ( games-util/qstat )
 	fping? ( net-analyzer/fping )
 	samba? ( net-fs/samba )
-	ssh? ( net-misc/openssh )
+	ssh? ( virtual/openssh )
 	snmp? ( dev-perl/Net-SNMP
 			net-analyzer/net-snmp[-minimal] )"
 
diff --git a/net-analyzer/monitoring-plugins/monitoring-plugins-2.3.3-r1.ebuild b/net-analyzer/monitoring-plugins/monitoring-plugins-2.3.3-r2.ebuild
index ac7b44413cab..e364f28aa4cc 100644
--- a/net-analyzer/monitoring-plugins/monitoring-plugins-2.3.3-r1.ebuild
+++ b/net-analyzer/monitoring-plugins/monitoring-plugins-2.3.3-r2.ebuild
@@ -44,7 +44,7 @@ DEPEND="${REAL_DEPEND}
 	game? ( games-util/qstat )
 	fping? ( net-analyzer/fping )
 	samba? ( net-fs/samba )
-	ssh? ( net-misc/openssh )
+	ssh? ( virtual/openssh )
 	snmp? ( dev-perl/Net-SNMP
 			net-analyzer/net-snmp[-minimal] )"
 
diff --git a/net-analyzer/nagios-plugins/nagios-plugins-2.4.0-r2.ebuild b/net-analyzer/nagios-plugins/nagios-plugins-2.4.0-r3.ebuild
index ea52cc31e226..192207bf2da9 100644
--- a/net-analyzer/nagios-plugins/nagios-plugins-2.4.0-r2.ebuild
+++ b/net-analyzer/nagios-plugins/nagios-plugins-2.4.0-r3.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -22,7 +22,7 @@ AUTOMAGIC_DEPEND="
 	nagios-game? ( games-util/qstat )
 	nagios-ping? ( net-analyzer/fping )
 	samba? ( net-fs/samba )
-	ssh? ( net-misc/openssh )
+	ssh? ( virtual/openssh )
 	snmp? ( dev-perl/Net-SNMP
 			net-analyzer/net-snmp[-minimal] )"
 
diff --git a/net-analyzer/nagios-plugins/nagios-plugins-2.4.2-r2.ebuild b/net-analyzer/nagios-plugins/nagios-plugins-2.4.2-r3.ebuild
index 54c610e10a60..93ed15e27790 100644
--- a/net-analyzer/nagios-plugins/nagios-plugins-2.4.2-r2.ebuild
+++ b/net-analyzer/nagios-plugins/nagios-plugins-2.4.2-r3.ebuild
@@ -22,7 +22,7 @@ AUTOMAGIC_DEPEND="
 	nagios-game? ( games-util/qstat )
 	nagios-ping? ( net-analyzer/fping )
 	samba? ( net-fs/samba )
-	ssh? ( net-misc/openssh )
+	ssh? ( virtual/openssh )
 	snmp? ( dev-perl/Net-SNMP
 			net-analyzer/net-snmp[-minimal] )"
 
diff --git a/net-dns/hash-slinger/hash-slinger-3.2.ebuild b/net-dns/hash-slinger/hash-slinger-3.2-r1.ebuild
index a8ddda15cbb8..d4c705076a21 100644
--- a/net-dns/hash-slinger/hash-slinger-3.2.ebuild
+++ b/net-dns/hash-slinger/hash-slinger-3.2-r1.ebuild
@@ -28,7 +28,7 @@ RDEPEND="
 	net-dns/unbound[python,${PYTHON_SINGLE_USEDEP}]
 	ipsec? ( net-vpn/libreswan[dnssec] )
 	openpgp? ( $(python_gen_cond_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') )
-	ssh? ( net-misc/openssh )
+	ssh? ( virtual/openssh )
 "
 
 src_install() {
diff --git a/net-fs/sshfs/sshfs-3.7.3.ebuild b/net-fs/sshfs/sshfs-3.7.3-r1.ebuild
index 430de0872a49..1ed1ef7dd04b 100644
--- a/net-fs/sshfs/sshfs-3.7.3.ebuild
+++ b/net-fs/sshfs/sshfs-3.7.3-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -16,7 +16,7 @@ SLOT="0"
 DEPEND=">=sys-fs/fuse-3.1.0:3
 	>=dev-libs/glib-2.4.2"
 RDEPEND="${DEPEND}
-	>=net-misc/openssh-4.4"
+	virtual/openssh"
 BDEPEND="dev-python/docutils
 	virtual/pkgconfig"
 
diff --git a/net-mail/muchsync/muchsync-6.ebuild b/net-mail/muchsync/muchsync-6-r1.ebuild
index 43414dafbc15..d1235a44b624 100644
--- a/net-mail/muchsync/muchsync-6.ebuild
+++ b/net-mail/muchsync/muchsync-6-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -18,5 +18,5 @@ DEPEND="dev-db/sqlite:3
 	net-mail/notmuch:=
 "
 RDEPEND="${DEPEND}
-	net-misc/openssh
+	virtual/openssh
 "
diff --git a/net-misc/autossh/autossh-1.4g.ebuild b/net-misc/autossh/autossh-1.4g-r1.ebuild
index 57c7452cb478..4a227c8620c6 100644
--- a/net-misc/autossh/autossh-1.4g.ebuild
+++ b/net-misc/autossh/autossh-1.4g-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -11,7 +11,7 @@ LICENSE="BSD"
 KEYWORDS="amd64 ~arm ~arm64 ~hppa ppc ~ppc64 ~riscv ~sparc x86 ~amd64-linux ~x86-linux"
 SLOT="0"
 
-RDEPEND="net-misc/openssh"
+RDEPEND="virtual/openssh"
 
 src_install() {
 	dobin autossh
diff --git a/net-misc/openssh-contrib/Manifest b/net-misc/openssh-contrib/Manifest
new file mode 100644
index 000000000000..680eb4cd062e
--- /dev/null
+++ b/net-misc/openssh-contrib/Manifest
@@ -0,0 +1,10 @@
+DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
+DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
+DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
+DIST openssh-9.3_p1-X509-glue-14.1.1.patch.xz 936 BLAKE2B f1716ff7801a27aa2aad06f1cca2ca6988eef65fb0ddcbde483e5c9205506ca40b658f5c8c40b2625afb38ff9b56e40831eadcf751c8ee1c11f69ec559f3c147 SHA512 dace01bcf22b625cd00e18ce019b0be31b6f47f714845f3ebb98ebee41b4db0a769fa09cab63ea17536a7106ec90f2b15f87696ae49fa6f6e31bad94ae09719d
+DIST openssh-9.3_p1-hpn-15.2-X509-14.1.1-glue.patch.xz 6224 BLAKE2B 47c7054648e8d795b0d9e563d8313242c917df8a3620a60cff2d77f9ae8482cec861244e0f1433f711922f0704b775b7183284960a3baa48a27b99979ad7ffa3 SHA512 728cf2586bcc9480afe71b5106e2286b925857a9e04dce79f744b36cbe3ec2844ac5b4a6bd4b64117f32ad1b04c0943b9d6f935eee826202871588ed9a167387
+DIST openssh-9.3_p1-hpn-15.2-glue.patch.xz 5044 BLAKE2B 73205bd8f702612df7cb6f29e8b353df854428974dc20d5938033157da64418317f326ab8118893dc47173cd871dc7654a3e3ed601289744560becc98729cd3f SHA512 343b77109158b9af5d8d57f4ac7968bce8277fa3b4dcaa19b76593620fbddbfa832bd76c0da52e12179fe5f391f9fef67e7af51b138ab8cc69a8a6471b6a3909
+DIST openssh-9.3p1+x509-14.1.1.diff.gz 1221335 BLAKE2B 9203fbb6955fe44ebd7ed031245a90b8df7e149a6ad3205097ffd5d2d7655a0e6b8cd2e20d7f7216fbc6d3e8bd0a1453f3fc028f04e96c0f244ad0772a0e30ab SHA512 8a1036d680d25f99e1a24ea77a2c303e807c0f5c5323043684da9fcc9ff603f80384688935a654cc97216f84f85f00f590dc35d2ee2b1f0fb169f8b427559b2d
+DIST openssh-9.3p1-sctp-1.2.patch.xz 6836 BLAKE2B d12394ecaa7eca6e0b3590cea83b71537edc3230bc5f7b2992a06a67c77247cc4156be0ba151038a5baee1c3f105f76f1917cc5aad08d1aadadfd6e56858781b SHA512 ba5af014e5b825bf4a57368416a15c6e56afd355780e4c5eab44a396c3f4276ac4d813c5c15b83f3b8edf4763855221743796c038433b292fda9417f0b274a71
+DIST openssh-9.3p1.tar.gz 1856839 BLAKE2B 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d SHA512 087ff6fe5f6caab4c6c3001d906399e02beffad7277280f11187420c2939fd4befdcb14643862a657ce4cad2f115b82a0a1a2c99df6ee54dcd76b53647637c19
+DIST openssh-9.3p1.tar.gz.asc 833 BLAKE2B e6533d64b117a400b76b90f71fa856d352dea57d91e4e89fa375429403ac0734cc0a2f075bc58c6bb4f40a8f9776735aa36bdb0bbf3880a2115cea787633e48b SHA512 6222378eb24a445c6c1db255392b405f5369b1af0e92f558d4ba05b0d83ab0d084cb8f4b91d7ae8636f333d970638a6635e2bc7af885135dd34992d87f2ef1f4
diff --git a/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch
new file mode 100644
index 000000000000..fa33af39b6f8
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch
@@ -0,0 +1,17 @@
+the last nibble of the openssl version represents the status.  that is,
+whether it is a beta or release.  when it comes to version checks in
+openssh, this component does not matter, so ignore it.
+
+https://bugzilla.mindrot.org/show_bug.cgi?id=2212
+
+--- a/openbsd-compat/openssl-compat.c
++++ b/openbsd-compat/openssl-compat.c
+@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver)
+ 	 * For versions >= 1.0.0, major,minor,status must match and library
+ 	 * fix version must be equal to or newer than the header.
+ 	 */
+-	mask = 0xfff0000fL; /* major,minor,status */
++	mask = 0xfff00000L; /* major,minor,status */
+ 	hfix = (headerver & 0x000ff000) >> 12;
+ 	lfix = (libver & 0x000ff000) >> 12;
+ 	if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
diff --git a/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch b/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch
new file mode 100644
index 000000000000..a5647ce9d8d3
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch
@@ -0,0 +1,20 @@
+Disable conch interop tests which are failing when called
+via portage for yet unknown reason and because using conch
+seems to be flaky (test is failing when using Python2 but
+passing when using Python3).
+
+Bug: https://bugs.gentoo.org/605446
+
+--- a/regress/conch-ciphers.sh
++++ b/regress/conch-ciphers.sh
+@@ -3,6 +3,10 @@
+ 
+ tid="conch ciphers"
+ 
++# https://bugs.gentoo.org/605446
++echo "conch interop tests skipped due to Gentoo bug #605446"
++exit 0
++
+ if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
+ 	echo "conch interop tests not enabled"
+ 	exit 0
diff --git a/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch b/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch
new file mode 100644
index 000000000000..c5697c2b8bd1
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch
@@ -0,0 +1,48 @@
+diff --git a/auth-options.c b/auth-options.c
+index b05d6d6f..d1f42f04 100644
+--- a/auth-options.c
++++ b/auth-options.c
+@@ -26,6 +26,7 @@
+ #include <stdarg.h>
+ #include <ctype.h>
+ #include <limits.h>
++#include <stdlib.h>
+ 
+ #include "openbsd-compat/sys-queue.h"
+ 
+diff --git a/hmac.c b/hmac.c
+index 1c879640..a29f32c5 100644
+--- a/hmac.c
++++ b/hmac.c
+@@ -19,6 +19,7 @@
+ 
+ #include <sys/types.h>
+ #include <string.h>
++#include <stdlib.h>
+ 
+ #include "sshbuf.h"
+ #include "digest.h"
+diff --git a/krl.c b/krl.c
+index 8e2d5d5d..c32e147a 100644
+--- a/krl.c
++++ b/krl.c
+@@ -28,6 +28,7 @@
+ #include <string.h>
+ #include <time.h>
+ #include <unistd.h>
++#include <stdlib.h>
+ 
+ #include "sshbuf.h"
+ #include "ssherr.h"
+diff --git a/mac.c b/mac.c
+index 51dc11d7..3d11eba6 100644
+--- a/mac.c
++++ b/mac.c
+@@ -29,6 +29,7 @@
+ 
+ #include <string.h>
+ #include <stdio.h>
++#include <stdlib.h>
+ 
+ #include "digest.h"
+ #include "hmac.h"
diff --git a/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch b/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch
new file mode 100644
index 000000000000..4310aa123fc8
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch
@@ -0,0 +1,57 @@
+Make sure that host keys are already accepted before
+running tests.
+
+https://bugs.gentoo.org/493866
+
+--- a/regress/putty-ciphers.sh
++++ b/regress/putty-ciphers.sh
+@@ -10,11 +10,17 @@ fi
+ 
+ for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do
+ 	verbose "$tid: cipher $c"
++	rm -f ${COPY}
+ 	cp ${OBJ}/.putty/sessions/localhost_proxy \
+ 	    ${OBJ}/.putty/sessions/cipher_$c
+ 	echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
+ 
+-	rm -f ${COPY}
++	env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \
++	    -i ${OBJ}/putty.rsa2 "exit"
++	if [ $? -ne 0 ]; then
++		fail "failed to pre-cache host key"
++	fi
++
+ 	env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \
+ 	    cat ${DATA} > ${COPY}
+ 	if [ $? -ne 0 ]; then
+--- a/regress/putty-kex.sh
++++ b/regress/putty-kex.sh
+@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do
+ 	    ${OBJ}/.putty/sessions/kex_$k
+ 	echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
+ 
++	env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \
++	    -i ${OBJ}/putty.rsa2 "exit"
++	if [ $? -ne 0 ]; then
++		fail "failed to pre-cache host key"
++	fi
++
+ 	env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true
+ 	if [ $? -ne 0 ]; then
+ 		fail "KEX $k failed"
+--- a/regress/putty-transfer.sh
++++ b/regress/putty-transfer.sh
+@@ -14,6 +14,13 @@ for c in 0 1 ; do
+ 	cp ${OBJ}/.putty/sessions/localhost_proxy \
+ 	    ${OBJ}/.putty/sessions/compression_$c
+ 	echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
++
++	env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \
++	    -i ${OBJ}/putty.rsa2 "exit"
++	if [ $? -ne 0 ]; then
++		fail "failed to pre-cache host key"
++	fi
++
+ 	env HOME=$PWD ${PLINK} -load compression_$c -batch \
+ 	    -i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY}
+ 	if [ $? -ne 0 ]; then
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch b/net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
index 7199227589c6..7199227589c6 100644
--- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
+++ b/net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
diff --git a/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch b/net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch
index 6dc290d6737b..6dc290d6737b 100644
--- a/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch
+++ b/net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch
diff --git a/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch b/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch
new file mode 100644
index 000000000000..ffc40b70ae3d
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch
@@ -0,0 +1,357 @@
+diff --git a/auth.c b/auth.c
+index 00b168b4..8ee93581 100644
+--- a/auth.c
++++ b/auth.c
+@@ -729,118 +729,6 @@ fakepw(void)
+ 	return (&fake);
+ }
+ 
+-/*
+- * Returns the remote DNS hostname as a string. The returned string must not
+- * be freed. NB. this will usually trigger a DNS query the first time it is
+- * called.
+- * This function does additional checks on the hostname to mitigate some
+- * attacks on based on conflation of hostnames and IP addresses.
+- */
+-
+-static char *
+-remote_hostname(struct ssh *ssh)
+-{
+-	struct sockaddr_storage from;
+-	socklen_t fromlen;
+-	struct addrinfo hints, *ai, *aitop;
+-	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
+-	const char *ntop = ssh_remote_ipaddr(ssh);
+-
+-	/* Get IP address of client. */
+-	fromlen = sizeof(from);
+-	memset(&from, 0, sizeof(from));
+-	if (getpeername(ssh_packet_get_connection_in(ssh),
+-	    (struct sockaddr *)&from, &fromlen) == -1) {
+-		debug("getpeername failed: %.100s", strerror(errno));
+-		return xstrdup(ntop);
+-	}
+-
+-	ipv64_normalise_mapped(&from, &fromlen);
+-	if (from.ss_family == AF_INET6)
+-		fromlen = sizeof(struct sockaddr_in6);
+-
+-	debug3("Trying to reverse map address %.100s.", ntop);
+-	/* Map the IP address to a host name. */
+-	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+-	    NULL, 0, NI_NAMEREQD) != 0) {
+-		/* Host name not found.  Use ip address. */
+-		return xstrdup(ntop);
+-	}
+-
+-	/*
+-	 * if reverse lookup result looks like a numeric hostname,
+-	 * someone is trying to trick us by PTR record like following:
+-	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
+-	 */
+-	memset(&hints, 0, sizeof(hints));
+-	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
+-	hints.ai_flags = AI_NUMERICHOST;
+-	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
+-		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+-		    name, ntop);
+-		freeaddrinfo(ai);
+-		return xstrdup(ntop);
+-	}
+-
+-	/* Names are stored in lowercase. */
+-	lowercase(name);
+-
+-	/*
+-	 * Map it back to an IP address and check that the given
+-	 * address actually is an address of this host.  This is
+-	 * necessary because anyone with access to a name server can
+-	 * define arbitrary names for an IP address. Mapping from
+-	 * name to IP address can be trusted better (but can still be
+-	 * fooled if the intruder has access to the name server of
+-	 * the domain).
+-	 */
+-	memset(&hints, 0, sizeof(hints));
+-	hints.ai_family = from.ss_family;
+-	hints.ai_socktype = SOCK_STREAM;
+-	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+-		logit("reverse mapping checking getaddrinfo for %.700s "
+-		    "[%s] failed.", name, ntop);
+-		return xstrdup(ntop);
+-	}
+-	/* Look for the address from the list of addresses. */
+-	for (ai = aitop; ai; ai = ai->ai_next) {
+-		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+-		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+-		    (strcmp(ntop, ntop2) == 0))
+-				break;
+-	}
+-	freeaddrinfo(aitop);
+-	/* If we reached the end of the list, the address was not there. */
+-	if (ai == NULL) {
+-		/* Address not found for the host name. */
+-		logit("Address %.100s maps to %.600s, but this does not "
+-		    "map back to the address.", ntop, name);
+-		return xstrdup(ntop);
+-	}
+-	return xstrdup(name);
+-}
+-
+-/*
+- * Return the canonical name of the host in the other side of the current
+- * connection.  The host name is cached, so it is efficient to call this
+- * several times.
+- */
+-
+-const char *
+-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
+-{
+-	static char *dnsname;
+-
+-	if (!use_dns)
+-		return ssh_remote_ipaddr(ssh);
+-	else if (dnsname != NULL)
+-		return dnsname;
+-	else {
+-		dnsname = remote_hostname(ssh);
+-		return dnsname;
+-	}
+-}
+-
+ /* These functions link key/cert options to the auth framework */
+ 
+ /* Log sshauthopt options locally and (optionally) for remote transmission */
+diff --git a/canohost.c b/canohost.c
+index a810da0e..18e9d8d4 100644
+--- a/canohost.c
++++ b/canohost.c
+@@ -202,3 +202,117 @@ get_local_port(int sock)
+ {
+ 	return get_sock_port(sock, 1);
+ }
++
++/*
++ * Returns the remote DNS hostname as a string. The returned string must not
++ * be freed. NB. this will usually trigger a DNS query the first time it is
++ * called.
++ * This function does additional checks on the hostname to mitigate some
++ * attacks on legacy rhosts-style authentication.
++ * XXX is RhostsRSAAuthentication vulnerable to these?
++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
++ */
++
++static char *
++remote_hostname(struct ssh *ssh)
++{
++	struct sockaddr_storage from;
++	socklen_t fromlen;
++	struct addrinfo hints, *ai, *aitop;
++	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
++	const char *ntop = ssh_remote_ipaddr(ssh);
++
++	/* Get IP address of client. */
++	fromlen = sizeof(from);
++	memset(&from, 0, sizeof(from));
++	if (getpeername(ssh_packet_get_connection_in(ssh),
++	    (struct sockaddr *)&from, &fromlen) == -1) {
++		debug("getpeername failed: %.100s", strerror(errno));
++		return xstrdup(ntop);
++	}
++
++	ipv64_normalise_mapped(&from, &fromlen);
++	if (from.ss_family == AF_INET6)
++		fromlen = sizeof(struct sockaddr_in6);
++
++	debug3("Trying to reverse map address %.100s.", ntop);
++	/* Map the IP address to a host name. */
++	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
++	    NULL, 0, NI_NAMEREQD) != 0) {
++		/* Host name not found.  Use ip address. */
++		return xstrdup(ntop);
++	}
++
++	/*
++	 * if reverse lookup result looks like a numeric hostname,
++	 * someone is trying to trick us by PTR record like following:
++	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
++	 */
++	memset(&hints, 0, sizeof(hints));
++	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
++	hints.ai_flags = AI_NUMERICHOST;
++	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
++		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
++		    name, ntop);
++		freeaddrinfo(ai);
++		return xstrdup(ntop);
++	}
++
++	/* Names are stored in lowercase. */
++	lowercase(name);
++
++	/*
++	 * Map it back to an IP address and check that the given
++	 * address actually is an address of this host.  This is
++	 * necessary because anyone with access to a name server can
++	 * define arbitrary names for an IP address. Mapping from
++	 * name to IP address can be trusted better (but can still be
++	 * fooled if the intruder has access to the name server of
++	 * the domain).
++	 */
++	memset(&hints, 0, sizeof(hints));
++	hints.ai_family = from.ss_family;
++	hints.ai_socktype = SOCK_STREAM;
++	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
++		logit("reverse mapping checking getaddrinfo for %.700s "
++		    "[%s] failed.", name, ntop);
++		return xstrdup(ntop);
++	}
++	/* Look for the address from the list of addresses. */
++	for (ai = aitop; ai; ai = ai->ai_next) {
++		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
++		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
++		    (strcmp(ntop, ntop2) == 0))
++				break;
++	}
++	freeaddrinfo(aitop);
++	/* If we reached the end of the list, the address was not there. */
++	if (ai == NULL) {
++		/* Address not found for the host name. */
++		logit("Address %.100s maps to %.600s, but this does not "
++		    "map back to the address.", ntop, name);
++		return xstrdup(ntop);
++	}
++	return xstrdup(name);
++}
++
++/*
++ * Return the canonical name of the host in the other side of the current
++ * connection.  The host name is cached, so it is efficient to call this
++ * several times.
++ */
++
++const char *
++auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
++{
++	static char *dnsname;
++
++	if (!use_dns)
++		return ssh_remote_ipaddr(ssh);
++	else if (dnsname != NULL)
++		return dnsname;
++	else {
++		dnsname = remote_hostname(ssh);
++		return dnsname;
++	}
++}
+diff --git a/readconf.c b/readconf.c
+index 03369a08..b45898ce 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -161,6 +161,7 @@ typedef enum {
+ 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+ 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
++	oGssTrustDns,
+ 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ 	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
+ 	oHashKnownHosts,
+@@ -207,9 +208,11 @@ static struct {
+ #if defined(GSSAPI)
+ 	{ "gssapiauthentication", oGssAuthentication },
+ 	{ "gssapidelegatecredentials", oGssDelegateCreds },
++	{ "gssapitrustdns", oGssTrustDns },
+ # else
+ 	{ "gssapiauthentication", oUnsupported },
+ 	{ "gssapidelegatecredentials", oUnsupported },
++	{ "gssapitrustdns", oUnsupported },
+ #endif
+ #ifdef ENABLE_PKCS11
+ 	{ "pkcs11provider", oPKCS11Provider },
+@@ -1117,6 +1120,10 @@ parse_time:
+ 		intptr = &options->gss_deleg_creds;
+ 		goto parse_flag;
+ 
++	case oGssTrustDns:
++		intptr = &options->gss_trust_dns;
++		goto parse_flag;
++
+ 	case oBatchMode:
+ 		intptr = &options->batch_mode;
+ 		goto parse_flag;
+@@ -2307,6 +2314,7 @@ initialize_options(Options * options)
+ 	options->pubkey_authentication = -1;
+ 	options->gss_authentication = -1;
+ 	options->gss_deleg_creds = -1;
++	options->gss_trust_dns = -1;
+ 	options->password_authentication = -1;
+ 	options->kbd_interactive_authentication = -1;
+ 	options->kbd_interactive_devices = NULL;
+@@ -2465,6 +2473,8 @@ fill_default_options(Options * options)
+ 		options->gss_authentication = 0;
+ 	if (options->gss_deleg_creds == -1)
+ 		options->gss_deleg_creds = 0;
++	if (options->gss_trust_dns == -1)
++		options->gss_trust_dns = 0;
+ 	if (options->password_authentication == -1)
+ 		options->password_authentication = 1;
+ 	if (options->kbd_interactive_authentication == -1)
+diff --git a/readconf.h b/readconf.h
+index f7d53b06..c3a91898 100644
+--- a/readconf.h
++++ b/readconf.h
+@@ -40,6 +40,7 @@ typedef struct {
+ 	int     hostbased_authentication;	/* ssh2's rhosts_rsa */
+ 	int     gss_authentication;	/* Try GSS authentication */
+ 	int     gss_deleg_creds;	/* Delegate GSS credentials */
++	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
+ 	int     password_authentication;	/* Try password
+ 						 * authentication. */
+ 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+diff --git a/ssh_config.5 b/ssh_config.5
+index cd0eea86..27101943 100644
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -832,6 +832,16 @@ The default is
+ Forward (delegate) credentials to the server.
+ The default is
+ .Cm no .
++Note that this option applies to protocol version 2 connections using GSSAPI.
++.It Cm GSSAPITrustDns
++Set to
++.Dq yes to indicate that the DNS is trusted to securely canonicalize
++the name of the host being connected to. If
++.Dq no, the hostname entered on the
++command line will be passed untouched to the GSSAPI library.
++The default is
++.Dq no .
++This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+diff --git a/sshconnect2.c b/sshconnect2.c
+index fea50fab..aeff639b 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh)
+ 	OM_uint32 min;
+ 	int r, ok = 0;
+ 	gss_OID mech = NULL;
++	const char *gss_host;
++
++	if (options.gss_trust_dns) {
++		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
++		gss_host = auth_get_canonical_hostname(ssh, 1);
++	} else
++		gss_host = authctxt->host;
+ 
+ 	/* Try one GSSAPI method at a time, rather than sending them all at
+ 	 * once. */
+@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh)
+ 		    elements[authctxt->mech_tried];
+ 		/* My DER encoding requires length<128 */
+ 		if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
+-		    mech, authctxt->host)) {
++		    mech, gss_host)) {
+ 			ok = 1; /* Mechanism works */
+ 		} else {
+ 			authctxt->mech_tried++;
diff --git a/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch b/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch
new file mode 100644
index 000000000000..8c46625aa29c
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch
@@ -0,0 +1,14 @@
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 2e065ba3..4ce80cb2 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_ppoll
+ 	SC_ALLOW(__NR_ppoll),
+ #endif
++#ifdef __NR_ppoll_time64
++	SC_ALLOW(__NR_ppoll_time64),
++#endif
+ #ifdef __NR_poll
+ 	SC_ALLOW(__NR_poll),
+ #endif
diff --git a/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch b/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
new file mode 100644
index 000000000000..9e08b2a553c2
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
@@ -0,0 +1,13 @@
+diff --git a/gss-serv.c b/gss-serv.c
+index b5d4bb2d..00e3d118 100644
+--- a/gss-serv.c
++++ b/gss-serv.c
+@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
+ 		gss_create_empty_oid_set(&status, &oidset);
+ 		gss_add_oid_set_member(&status, ctx->oid, &oidset);
+ 
+-		if (gethostname(lname, MAXHOSTNAMELEN)) {
++		if (gethostname(lname, HOST_NAME_MAX)) {
+ 			gss_release_oid_set(&status, &oidset);
+ 			return (-1);
+ 		}
diff --git a/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch b/net-misc/openssh-contrib/files/openssh-9.0_p1-X509-uninitialized-delay.patch
index 2a83ed37d138..2a83ed37d138 100644
--- a/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch
+++ b/net-misc/openssh-contrib/files/openssh-9.0_p1-X509-uninitialized-delay.patch
diff --git a/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch b/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
new file mode 100644
index 000000000000..4d098b2231c7
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
@@ -0,0 +1,20 @@
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 23b40b643..d93a357c6 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -257,6 +257,15 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_statx
+ 	SC_DENY(__NR_statx, EACCES),
+ #endif
++#ifdef __NR_shmget
++	SC_DENY(__NR_shmget, EACCES),
++#endif
++#ifdef __NR_shmat
++	SC_DENY(__NR_shmat, EACCES),
++#endif
++#ifdef __NR_shmdt
++	SC_DENY(__NR_shmdt, EACCES),
++#endif
+ 
+ 	/* Syscalls to permit */
+ #ifdef __NR_brk
diff --git a/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch b/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch
new file mode 100644
index 000000000000..b571ae253fff
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch
@@ -0,0 +1,58 @@
+https://bugzilla.mindrot.org/show_bug.cgi?id=3548
+--- a/openbsd-compat/openssl-compat.c
++++ b/openbsd-compat/openssl-compat.c
+@@ -48,19 +48,25 @@ ssh_compatible_openssl(long headerver, long libver)
+ 	if (headerver == libver)
+ 		return 1;
+ 
+-	/* for versions < 1.0.0, major,minor,fix,status must match */
+-	if (headerver < 0x1000000f) {
+-		mask = 0xfffff00fL; /* major,minor,fix,status */
+-		return (headerver & mask) == (libver & mask);
++	/*
++	 * For versions < 3.0.0, major,minor,status must match and library
++	 * fix version must be equal to or newer than the header.
++	 */
++	if (headerver < 0x3000000f) {
++		mask = 0xfff0000fL; /* major,minor,status */
++		hfix = (headerver & 0x000ff000) >> 12;
++		lfix = (libver & 0x000ff000) >> 12;
++		if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
++			return 1;
+ 	}
+ 
+ 	/*
+-	 * For versions >= 1.0.0, major,minor,status must match and library
+-	 * fix version must be equal to or newer than the header.
++	 * For versions >= 3.0.0, major must match and minor,status must be
++	 * equal to or greater than the header.
+ 	 */
+-	mask = 0xfff00000L; /* major,minor,status */
+-	hfix = (headerver & 0x000ff000) >> 12;
+-	lfix = (libver & 0x000ff000) >> 12;
++	mask = 0xf000000fL; /* major, status */
++	hfix = (headerver & 0x0ffffff0L) >> 12;
++	lfix = (libver & 0x0ffffff0L) >> 12;
+ 	if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
+ 		return 1;
+ 	return 0;
+--- a/openbsd-compat/regress/opensslvertest.c
++++ b/openbsd-compat/regress/opensslvertest.c
+@@ -31,7 +31,7 @@ struct version_test {
+ 	{ 0x0090802fL, 0x0090804fL, 1},	/* newer library fix version: ok */
+ 	{ 0x0090802fL, 0x0090801fL, 1},	/* older library fix version: ok */
+ 	{ 0x0090802fL, 0x0090702fL, 0},	/* older library minor version: NO */
+-	{ 0x0090802fL, 0x0090902fL, 0},	/* newer library minor version: NO */
++	{ 0x0090802fL, 0x0090902fL, 1},	/* newer library minor version: ok */
+ 	{ 0x0090802fL, 0x0080802fL, 0},	/* older library major version: NO */
+ 	{ 0x0090802fL, 0x1000100fL, 0},	/* newer library major version: NO */
+ 
+@@ -41,7 +41,7 @@ struct version_test {
+ 	{ 0x1000101fL, 0x1000100fL, 1},	/* older library patch version: ok */
+ 	{ 0x1000101fL, 0x1000201fL, 1},	/* newer library fix version: ok */
+ 	{ 0x1000101fL, 0x1000001fL, 0},	/* older library fix version: NO */
+-	{ 0x1000101fL, 0x1010101fL, 0},	/* newer library minor version: NO */
++	{ 0x1000101fL, 0x1010101fL, 1},	/* newer library minor version: ok */
+ 	{ 0x1000101fL, 0x0000101fL, 0},	/* older library major version: NO */
+ 	{ 0x1000101fL, 0x2000101fL, 0},	/* newer library major version: NO */
+ };
diff --git a/net-misc/openssh-contrib/files/sshd-r1.confd b/net-misc/openssh-contrib/files/sshd-r1.confd
new file mode 100644
index 000000000000..cf430371bf0f
--- /dev/null
+++ b/net-misc/openssh-contrib/files/sshd-r1.confd
@@ -0,0 +1,33 @@
+# /etc/conf.d/sshd: config file for /etc/init.d/sshd
+
+# Where is your sshd_config file stored?
+
+SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh"
+
+
+# Any random options you want to pass to sshd.
+# See the sshd(8) manpage for more info.
+
+SSHD_OPTS=""
+
+
+# Wait one second (length chosen arbitrarily) to see if sshd actually
+# creates a PID file, or if it crashes for some reason like not being
+# able to bind to the address in ListenAddress.
+
+#SSHD_SSD_OPTS="--wait 1000"
+
+
+# Pid file to use (needs to be absolute path).
+
+#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid"
+
+
+# Path to the sshd binary (needs to be absolute path).
+
+#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd"
+
+
+# Path to the ssh-keygen binary (needs to be absolute path).
+
+#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen"
diff --git a/net-misc/openssh-contrib/files/sshd-r1.initd b/net-misc/openssh-contrib/files/sshd-r1.initd
new file mode 100644
index 000000000000..e91cd0116cd4
--- /dev/null
+++ b/net-misc/openssh-contrib/files/sshd-r1.initd
@@ -0,0 +1,87 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+
+: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
+: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
+: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
+: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
+: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
+
+command="${SSHD_BINARY}"
+pidfile="${SSHD_PIDFILE}"
+command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
+
+# Wait one second (length chosen arbitrarily) to see if sshd actually
+# creates a PID file, or if it crashes for some reason like not being
+# able to bind to the address in ListenAddress (bug 617596).
+: ${SSHD_SSD_OPTS:=--wait 1000}
+start_stop_daemon_args="${SSHD_SSD_OPTS}"
+
+depend() {
+	# Entropy can be used by ssh-keygen, among other things, but
+	# is not strictly required (bug 470020).
+	use logger dns entropy
+	if [ "${rc_need+set}" = "set" ] ; then
+		: # Do nothing, the user has explicitly set rc_need
+	else
+		local x warn_addr
+		for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
+			case "${x}" in
+				0.0.0.0|0.0.0.0:*) ;;
+				::|\[::\]*) ;;
+				*) warn_addr="${warn_addr} ${x}" ;;
+			esac
+		done
+		if [ -n "${warn_addr}" ] ; then
+			need net
+			ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
+			ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
+			ewarn "where FOO is the interface(s) providing the following address(es):"
+			ewarn "${warn_addr}"
+		fi
+	fi
+}
+
+checkconfig() {
+	checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty"
+
+	if [ ! -e "${SSHD_CONFIG}" ] ; then
+		eerror "You need an ${SSHD_CONFIG} file to run sshd"
+		eerror "There is a sample file in /usr/share/doc/openssh"
+		return 1
+	fi
+
+	${SSHD_KEYGEN_BINARY} -A || return 2
+
+	"${command}" -t ${command_args} || return 3
+}
+
+start_pre() {
+	# Make sure that the user's config isn't busted before we try
+	# to start the daemon (this will produce better error messages
+	# than if we just try to start it blindly).
+	#
+	# We always need to call checkconfig because this function will
+	# also generate any missing host key and you can start a
+	# non-running service with "restart" argument.
+	checkconfig || return $?
+}
+
+stop_pre() {
+	# If this is a restart, check to make sure the user's config
+	# isn't busted before we stop the running daemon.
+	if [ "${RC_CMD}" = "restart" ] ; then
+		checkconfig || return $?
+	fi
+}
+
+reload() {
+	checkconfig || return $?
+	ebegin "Reloading ${SVCNAME}"
+	start-stop-daemon --signal HUP --pidfile "${pidfile}"
+	eend $?
+}
diff --git a/net-misc/openssh-contrib/files/sshd.pam_include.2 b/net-misc/openssh-contrib/files/sshd.pam_include.2
new file mode 100644
index 000000000000..b801aaafa0f9
--- /dev/null
+++ b/net-misc/openssh-contrib/files/sshd.pam_include.2
@@ -0,0 +1,4 @@
+auth       include	system-remote-login
+account    include	system-remote-login
+password   include	system-remote-login
+session	   include	system-remote-login
diff --git a/net-misc/openssh-contrib/files/sshd.service.1 b/net-misc/openssh-contrib/files/sshd.service.1
new file mode 100644
index 000000000000..a541164cd7f2
--- /dev/null
+++ b/net-misc/openssh-contrib/files/sshd.service.1
@@ -0,0 +1,15 @@
+[Unit]
+Description=OpenSSH server daemon
+After=network.target auditd.service
+
+[Service]
+ExecStartPre=/usr/bin/ssh-keygen -A
+ExecStart=/usr/sbin/sshd -D -e
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+OOMPolicy=continue
+Restart=on-failure
+RestartSec=42s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-misc/openssh-contrib/files/sshd.socket b/net-misc/openssh-contrib/files/sshd.socket
new file mode 100644
index 000000000000..94b9533180da
--- /dev/null
+++ b/net-misc/openssh-contrib/files/sshd.socket
@@ -0,0 +1,10 @@
+[Unit]
+Description=OpenSSH Server Socket
+Conflicts=sshd.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/net-misc/openssh-contrib/files/sshd_at.service.1 b/net-misc/openssh-contrib/files/sshd_at.service.1
new file mode 100644
index 000000000000..e43a457994f4
--- /dev/null
+++ b/net-misc/openssh-contrib/files/sshd_at.service.1
@@ -0,0 +1,8 @@
+[Unit]
+Description=OpenSSH per-connection server daemon
+After=auditd.service
+
+[Service]
+ExecStart=-/usr/sbin/sshd -i -e
+StandardInput=socket
+StandardError=journal
diff --git a/net-misc/openssh-contrib/metadata.xml b/net-misc/openssh-contrib/metadata.xml
new file mode 100644
index 000000000000..2982a0304511
--- /dev/null
+++ b/net-misc/openssh-contrib/metadata.xml
@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>chutzpah@gentoo.org</email>
+		<name>Patrick McLean</name>
+	</maintainer>
+	<maintainer type="person">
+		<email>robbat2@gentoo.org</email>
+		<name>Robin H. Johnson</name>
+	</maintainer>
+	<longdescription>
+		OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that
+		increasing numbers of people on the Internet are coming to rely on. Many users of telnet,
+		rlogin, ftp, and other such programs might not realize that their password is transmitted
+		across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords)
+		to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.
+		Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety
+		of authentication methods.
+
+		The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which
+		replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of
+		the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan,
+		ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
+
+		This package represents an effort to extend upstream OpenSSH with three big patchsets.
+
+		WARNING: These patches are of lower quality than vanilla upstream OpenSSH and often have
+		correctness issues.
+
+		The patches are:
+
+		* HPN (High performance SSH/SCP) adds custom ciphers that allow for more aggressive
+		buffering and/or multithreading, leading to better network throughput. Many of these
+		optimizations are not relevant anymore due to AEAD ciphers changing MAC nesting or
+		because more CPU performant ciphers are being used in this day and age (ChaCha20).
+
+		WARNING: HPN's multi-threaded AES CTR cipher is known to be broken and should not be relied upon.
+
+		* SCTP patches by Patrick McLean. These enable SSH over SCTP.
+
+		* X509 patches by Roumen Petrov. OpenSSH upstream will never support standard PKIs for
+		authenticating users. This patch series adds support for X509 certificates.
+	</longdescription>
+	<use>
+		<flag name="hpn">Enable high performance ssh</flag>
+		<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
+		<flag name="livecd">Enable root password logins for live-cd environment.</flag>
+		<flag name="security-key">Include builtin U2F/FIDO support</flag>
+		<flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
+		<flag name="X509">Adds support for X.509 certificate authentication</flag>
+		<flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag>
+	</use>
+	<upstream>
+		<remote-id type="cpe">cpe:/a:openbsd:openssh</remote-id>
+		<remote-id type="github">openssh/openssh-portable</remote-id>
+		<remote-id type="sourceforge">hpnssh</remote-id>
+	</upstream>
+</pkgmetadata>
diff --git a/net-misc/openssh/openssh-9.3_p1.ebuild b/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild
index c3084f573734..8fa1eabcaa5c 100644
--- a/net-misc/openssh/openssh-9.3_p1.ebuild
+++ b/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild
@@ -7,7 +7,8 @@ inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
 
 # Make it more portable between straight releases
 # and _p? releases.
-PARCH=${P/_}
+MY_P=${P/-contrib/}
+PARCH=${MY_P/_}
 
 # PV to USE for HPN patches
 #HPN_PV="${PV^^}"
@@ -15,11 +16,11 @@ HPN_PV="8.5_P1"
 
 HPN_VER="15.2"
 HPN_PATCHES=(
-	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
-	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
+	openssh-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
+	openssh-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
+	openssh-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
 )
-HPN_GLUE_PATCH="${PN}-9.3_p1-hpn-${HPN_VER}-glue.patch"
+HPN_GLUE_PATCH="openssh-9.3_p1-hpn-${HPN_VER}-glue.patch"
 HPN_PATCH_DIR="HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}"
 
 SCTP_VER="1.2"
@@ -27,10 +28,10 @@ SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
 
 X509_VER="14.1.1"
 X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch"
-X509_HPN_GLUE_PATCH="${PN}-9.3_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch"
+X509_GLUE_PATCH="openssh-${PV}-X509-glue-${X509_VER}.patch"
+X509_HPN_GLUE_PATCH="openssh-9.3_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch"
 
-DESCRIPTION="Port of OpenBSD's free SSH release"
+DESCRIPTION="Port of OpenBSD's free SSH release with HPN/SCTP/X509 patches"
 HOMEPAGE="https://www.openssh.com/"
 SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
 	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
@@ -50,7 +51,7 @@ S="${WORKDIR}/${PARCH}"
 
 LICENSE="BSD GPL-2"
 SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+KEYWORDS="~amd64"
 # Probably want to drop ssl defaulting to on in a future version.
 IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
 
@@ -69,9 +70,7 @@ REQUIRED_USE="
 # tests currently fail with XMSS
 REQUIRED_USE+="test? ( !xmss )"
 
-# Blocker on older gcc-config for bug #872416
 LIB_DEPEND="
-	!<sys-devel/gcc-config-2.6
 	audit? ( sys-process/audit[static-libs(+)] )
 	ldns? (
 		net-libs/ldns[static-libs(+)]
@@ -86,6 +85,7 @@ LIB_DEPEND="
 	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
 "
 RDEPEND="
+	!net-misc/openssh
 	acct-group/sshd
 	acct-user/sshd
 	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
@@ -116,15 +116,15 @@ BDEPEND="
 "
 
 PATCHES=(
-	"${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch"
-	"${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
-	"${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch"
-	"${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch"
-	"${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch"
-	"${FILESDIR}/${PN}-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
-	"${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019
-	"${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
-	"${FILESDIR}/${PN}-9.3_p1-openssl-version-compat-check.patch"
+	"${FILESDIR}/openssh-7.9_p1-include-stdlib.patch"
+	"${FILESDIR}/openssh-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
+	"${FILESDIR}/openssh-6.7_p1-openssl-ignore-status.patch"
+	"${FILESDIR}/openssh-7.5_p1-disable-conch-interop-tests.patch"
+	"${FILESDIR}/openssh-8.0_p1-fix-putty-tests.patch"
+	"${FILESDIR}/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
+	"${FILESDIR}/openssh-8.9_p1-allow-ppoll_time64.patch" #834019
+	"${FILESDIR}/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
+	"${FILESDIR}/openssh-9.3_p1-openssl-version-compat-check.patch"
 )
 
 pkg_pretend() {
@@ -177,7 +177,7 @@ src_prepare() {
 		popd &>/dev/null || die
 
 		eapply "${WORKDIR}"/${X509_PATCH%.*}
-		eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
+		eapply "${FILESDIR}/openssh-9.0_p1-X509-uninitialized-delay.patch"
 
 		# We need to patch package version or any X.509 sshd will reject our ssh client
 		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
@@ -210,13 +210,13 @@ src_prepare() {
 	fi
 
 	if use hpn ; then
-		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
+		local hpn_patchdir="${T}/openssh-${PV}-hpn${HPN_VER}"
 		mkdir "${hpn_patchdir}" || die
 		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
 		pushd "${hpn_patchdir}" &>/dev/null || die
 		eapply "${WORKDIR}/${HPN_GLUE_PATCH}"
 		use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}"
-		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
+		use sctp && eapply "${FILESDIR}"/openssh-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
 		popd &>/dev/null || die
 
 		eapply "${hpn_patchdir}"
@@ -235,6 +235,8 @@ src_prepare() {
 		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
 
 		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+			# Before re-enabling, check https://bugs.gentoo.org/354113#c6
+			# and be sure to have tested it.
 			einfo "Disabling known non-working MT AES cipher per default ..."
 
 			cat > "${T}"/disable_mtaes.conf <<- EOF
@@ -283,11 +285,6 @@ src_prepare() {
 		-e 's:-D_FORTIFY_SOURCE=2::'
 	)
 
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
 	# _XOPEN_SOURCE causes header conflicts on Solaris
 	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
 		-e 's/-D_XOPEN_SOURCE//'
@@ -380,39 +377,55 @@ tweak_ssh_configs() {
 		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
 	)
 
-	# First the server config.
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+	dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die
+	Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf"
+	EOF
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die
+	Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf"
+	EOF
 
-	# Allow client to pass locale environment variables. #367017
-	AcceptEnv ${locale_vars[*]}
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
+	# Send locale environment variables (bug #367017)
+	SendEnv ${locale_vars[*]}
 
-	# Allow client to pass COLORTERM to match TERM. #658540
-	AcceptEnv COLORTERM
+	# Send COLORTERM to match TERM (bug #658540)
+	SendEnv COLORTERM
+	EOF
+
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die
+	RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts"
 	EOF
 
-	# Then the client config.
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die
+	# https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
+	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+	EOF
 
-	# Send locale environment variables. #367017
-	SendEnv ${locale_vars[*]}
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
+	# Allow client to pass locale environment variables (bug #367017)
+	AcceptEnv ${locale_vars[*]}
 
-	# Send COLORTERM to match TERM. #658540
-	SendEnv COLORTERM
+	# Allow client to pass COLORTERM to match TERM (bug #658540)
+	AcceptEnv COLORTERM
 	EOF
 
 	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
+		cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die
+		UsePAM yes
+		# This interferes with PAM.
+		PasswordAuthentication no
+		# PAM can do its own handling of MOTD.
+		PrintMotd no
+		PrintLastLog no
+		EOF
 	fi
 
 	if use livecd ; then
-		sed -i \
-			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED}"/etc/ssh/sshd_config || die
+		cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die
+		# Allow root login with password on livecds.
+		PermitRootLogin Yes
+		EOF
 	fi
 }
 
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 680eb4cd062e..6f31cfab6a73 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,10 +1,2 @@
-DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
-DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
-DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
-DIST openssh-9.3_p1-X509-glue-14.1.1.patch.xz 936 BLAKE2B f1716ff7801a27aa2aad06f1cca2ca6988eef65fb0ddcbde483e5c9205506ca40b658f5c8c40b2625afb38ff9b56e40831eadcf751c8ee1c11f69ec559f3c147 SHA512 dace01bcf22b625cd00e18ce019b0be31b6f47f714845f3ebb98ebee41b4db0a769fa09cab63ea17536a7106ec90f2b15f87696ae49fa6f6e31bad94ae09719d
-DIST openssh-9.3_p1-hpn-15.2-X509-14.1.1-glue.patch.xz 6224 BLAKE2B 47c7054648e8d795b0d9e563d8313242c917df8a3620a60cff2d77f9ae8482cec861244e0f1433f711922f0704b775b7183284960a3baa48a27b99979ad7ffa3 SHA512 728cf2586bcc9480afe71b5106e2286b925857a9e04dce79f744b36cbe3ec2844ac5b4a6bd4b64117f32ad1b04c0943b9d6f935eee826202871588ed9a167387
-DIST openssh-9.3_p1-hpn-15.2-glue.patch.xz 5044 BLAKE2B 73205bd8f702612df7cb6f29e8b353df854428974dc20d5938033157da64418317f326ab8118893dc47173cd871dc7654a3e3ed601289744560becc98729cd3f SHA512 343b77109158b9af5d8d57f4ac7968bce8277fa3b4dcaa19b76593620fbddbfa832bd76c0da52e12179fe5f391f9fef67e7af51b138ab8cc69a8a6471b6a3909
-DIST openssh-9.3p1+x509-14.1.1.diff.gz 1221335 BLAKE2B 9203fbb6955fe44ebd7ed031245a90b8df7e149a6ad3205097ffd5d2d7655a0e6b8cd2e20d7f7216fbc6d3e8bd0a1453f3fc028f04e96c0f244ad0772a0e30ab SHA512 8a1036d680d25f99e1a24ea77a2c303e807c0f5c5323043684da9fcc9ff603f80384688935a654cc97216f84f85f00f590dc35d2ee2b1f0fb169f8b427559b2d
-DIST openssh-9.3p1-sctp-1.2.patch.xz 6836 BLAKE2B d12394ecaa7eca6e0b3590cea83b71537edc3230bc5f7b2992a06a67c77247cc4156be0ba151038a5baee1c3f105f76f1917cc5aad08d1aadadfd6e56858781b SHA512 ba5af014e5b825bf4a57368416a15c6e56afd355780e4c5eab44a396c3f4276ac4d813c5c15b83f3b8edf4763855221743796c038433b292fda9417f0b274a71
 DIST openssh-9.3p1.tar.gz 1856839 BLAKE2B 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d SHA512 087ff6fe5f6caab4c6c3001d906399e02beffad7277280f11187420c2939fd4befdcb14643862a657ce4cad2f115b82a0a1a2c99df6ee54dcd76b53647637c19
 DIST openssh-9.3p1.tar.gz.asc 833 BLAKE2B e6533d64b117a400b76b90f71fa856d352dea57d91e4e89fa375429403ac0734cc0a2f075bc58c6bb4f40a8f9776735aa36bdb0bbf3880a2115cea787633e48b SHA512 6222378eb24a445c6c1db255392b405f5369b1af0e92f558d4ba05b0d83ab0d084cb8f4b91d7ae8636f333d970638a6635e2bc7af885135dd34992d87f2ef1f4
diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
index 0ed696c82ad6..da1b4330c4d7 100644
--- a/net-misc/openssh/metadata.xml
+++ b/net-misc/openssh/metadata.xml
@@ -20,17 +20,14 @@
 		ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
 	</longdescription>
 	<use>
-		<flag name="hpn">Enable high performance ssh</flag>
 		<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
 		<flag name="livecd">Enable root password logins for live-cd environment.</flag>
 		<flag name="security-key">Include builtin U2F/FIDO support</flag>
 		<flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
-		<flag name="X509">Adds support for X.509 certificate authentication</flag>
 		<flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag>
 	</use>
 	<upstream>
 		<remote-id type="cpe">cpe:/a:openbsd:openssh</remote-id>
 		<remote-id type="github">openssh/openssh-portable</remote-id>
-		<remote-id type="sourceforge">hpnssh</remote-id>
 	</upstream>
 </pkgmetadata>
diff --git a/net-misc/openssh/openssh-9.3_p1-r1.ebuild b/net-misc/openssh/openssh-9.3_p1-r1.ebuild
new file mode 100644
index 000000000000..ea2cc9a83d0c
--- /dev/null
+++ b/net-misc/openssh/openssh-9.3_p1-r1.ebuild
@@ -0,0 +1,381 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="https://www.openssh.com/"
+SRC_URI="
+	mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )"
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
+S="${WORKDIR}/${PARCH}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test X xmss"
+
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="
+	ldns? ( ssl )
+	pie? ( !static )
+	static? ( !kerberos !pam )
+	xmss? ( ssl  )
+	test? ( ssl )
+"
+
+# tests currently fail with XMSS
+REQUIRED_USE+="test? ( !xmss )"
+
+LIB_DEPEND="
+	audit? ( sys-process/audit[static-libs(+)] )
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		net-libs/ldns[ecdsa(+),ssl(+)]
+	)
+	libedit? ( dev-libs/libedit:=[static-libs(+)] )
+	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
+	virtual/libcrypt:=[static-libs(+)]
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
+"
+RDEPEND="
+	acct-group/sshd
+	acct-user/sshd
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( sys-libs/pam )
+	kerberos? ( virtual/krb5 )
+"
+DEPEND="${RDEPEND}
+	virtual/os-headers
+	kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
+	static? ( ${LIB_DEPEND} )
+"
+RDEPEND="${RDEPEND}
+	!net-misc/openssh-contrib
+	pam? ( >=sys-auth/pambase-20081028 )
+	!prefix? ( sys-apps/shadow )
+	X? ( x11-apps/xauth )
+"
+# Weird dep construct for newer gcc-config for bug #872416
+BDEPEND="
+	sys-devel/autoconf
+	virtual/pkgconfig
+	|| (
+		>=sys-devel/gcc-config-2.6
+		>=sys-devel/clang-toolchain-symlinks-14-r1:14
+		>=sys-devel/clang-toolchain-symlinks-15-r1:15
+		>=sys-devel/clang-toolchain-symlinks-16-r1:*
+	)
+	verify-sig? ( sec-keys/openpgp-keys-openssh )
+"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch"
+	"${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
+	"${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch"
+	"${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch"
+	"${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch"
+	"${FILESDIR}/${PN}-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
+	"${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019
+	"${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
+	"${FILESDIR}/${PN}-9.3_p1-openssl-version-compat-check.patch"
+)
+
+pkg_pretend() {
+	local i enabled_eol_flags disabled_eol_flags
+	for i in hpn sctp X509; do
+		if has_version "net-misc/openssh[${i}]"; then
+			enabled_eol_flags+="${i},"
+			disabled_eol_flags+="-${i},"
+		fi
+	done
+
+	if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then
+		ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore."
+		ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality,"
+		ewarn "since these USE flags required third-party patches that often trigger bugs"
+		ewarn "and are of questionable provenance."
+		ewarn
+		ewarn "If you must continue relying on this functionality, switch to"
+		ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your"
+		ewarn "world file first: 'emerge --deselect net-misc/openssh'"
+		ewarn
+		ewarn "In order to prevent loss of SSH remote login access, we will abort the build."
+		ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib"
+		ewarn "variant, when re-emerging you will have to set"
+		ewarn
+		ewarn "  OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
+
+		die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
+	fi
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	eapply -- "${PATCHES[@]}"
+
+	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
+
+	eapply_user #473004
+
+	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
+	sed -e '/\t\tpercent \\/ d' \
+		-i regress/Makefile || die
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+
+	# _XOPEN_SOURCE causes header conflicts on Solaris
+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(
+		-e 's/-D_XOPEN_SOURCE//'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+	use xmss && append-cflags -DWITH_XMSS
+
+	if [[ ${CHOST} == *-solaris* ]] ; then
+		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
+		# doesn't check for this, so force the replacement to be put in
+		# place
+		append-cppflags -DBROKEN_GLOB
+	fi
+
+	# use replacement, RPF_ECHO_ON doesn't exist here
+	[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with audit audit linux)
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with selinux)
+		$(use_with security-key security-key-builtin)
+		$(use_with ssl openssl)
+		$(use_with ssl ssl-engine)
+		$(use_with !elibc_Cygwin hardening) #659210
+	)
+
+	if use elibc_musl; then
+		# musl defines bogus values for UTMP_FILE and WTMP_FILE
+		# https://bugs.gentoo.org/753230
+		myconf+=( --disable-utmp --disable-wtmp )
+	fi
+
+	# Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all
+	# bug #869839 (https://github.com/llvm/llvm-project/issues/57692)
+	tc-is-clang && myconf+=( --without-hardening )
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local tests=( compat-tests )
+	local shell=$(egetshell "${UID}")
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+		ewarn "user, so we will run a subset only."
+		tests+=( interop-tests )
+	else
+		tests+=( tests )
+	fi
+
+	local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
+	mkdir -p "${HOME}"/.ssh || die
+	emake -j1 "${tests[@]}" </dev/null
+}
+
+# Gentoo tweaks to default config files.
+tweak_ssh_configs() {
+	local locale_vars=(
+		# These are language variables that POSIX defines.
+		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
+		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
+
+		# These are the GNU extensions.
+		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
+		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+	)
+
+	dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die
+	Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf"
+	EOF
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die
+	Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf"
+	EOF
+
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
+	# Send locale environment variables (bug #367017)
+	SendEnv ${locale_vars[*]}
+
+	# Send COLORTERM to match TERM (bug #658540)
+	SendEnv COLORTERM
+	EOF
+
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die
+	RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts"
+	EOF
+
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die
+	# https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
+	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+	EOF
+
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
+	# Allow client to pass locale environment variables (bug #367017)
+	AcceptEnv ${locale_vars[*]}
+
+	# Allow client to pass COLORTERM to match TERM (bug #658540)
+	AcceptEnv COLORTERM
+	EOF
+
+	if use pam ; then
+		cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die
+		UsePAM yes
+		# This interferes with PAM.
+		PasswordAuthentication no
+		# PAM can do its own handling of MOTD.
+		PrintMotd no
+		PrintLastLog no
+		EOF
+	fi
+
+	if use livecd ; then
+		cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die
+		# Allow root login with password on livecds.
+		PermitRootLogin Yes
+		EOF
+	fi
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd-r1.initd sshd
+	newconfd "${FILESDIR}"/sshd-r1.confd sshd
+
+	if use pam; then
+		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	fi
+
+	tweak_ssh_configs
+
+	doman contrib/ssh-copy-id.1
+	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+	rmdir "${ED}"/var/empty || die
+
+	systemd_dounit "${FILESDIR}"/sshd.socket
+	systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service
+	systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service'
+}
+
+pkg_preinst() {
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
+		show_ssl_warning=1
+	fi
+}
+
+pkg_postinst() {
+	local old_ver
+	for old_ver in ${REPLACING_VERSIONS}; do
+		if ver_test "${old_ver}" -lt "5.8_p1"; then
+			elog "Starting with openssh-5.8p1, the server will default to a newer key"
+			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+		fi
+		if ver_test "${old_ver}" -lt "7.0_p1"; then
+			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+			elog "Make sure to update any configs that you might have.  Note that xinetd might"
+			elog "be an alternative for you as it supports USE=tcpd."
+		fi
+		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
+			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+			elog "adding to your sshd_config or ~/.ssh/config files:"
+			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+			elog "You should however generate new keys using rsa or ed25519."
+
+			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+			elog "out of the box.  If you need this, please update your sshd_config explicitly."
+		fi
+		if ver_test "${old_ver}" -lt "7.6_p1"; then
+			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+		fi
+		if ver_test "${old_ver}" -lt "7.7_p1"; then
+			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
+			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
+			elog "if you need to authenticate against LDAP."
+			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+		fi
+		if ver_test "${old_ver}" -lt "8.2_p1"; then
+			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
+			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
+			ewarn "connection is generally safe."
+		fi
+		if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then
+			ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to"
+			ewarn "'Restart=on-failure', which causes the service to automatically restart if it"
+			ewarn "terminates with an unclean exit code or signal. This feature is useful for most users,"
+			ewarn "but it can increase the vulnerability of the system in the event of a future exploit."
+			ewarn "If you have a web-facing setup or are concerned about security, it is recommended to"
+			ewarn "set 'Restart=no' in your sshd unit file."
+		fi
+	done
+
+	if [[ -n ${show_ssl_warning} ]]; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+}
diff --git a/net-misc/pssh/pssh-2.3.4-r2.ebuild b/net-misc/pssh/pssh-2.3.4-r3.ebuild
index 68c5f74fd4b4..7992ab01da29 100644
--- a/net-misc/pssh/pssh-2.3.4-r2.ebuild
+++ b/net-misc/pssh/pssh-2.3.4-r3.ebuild
@@ -18,7 +18,7 @@ KEYWORDS="~amd64 ~ppc ~x86 ~amd64-linux ~x86-linux"
 
 RDEPEND="
 	!net-misc/putty
-	net-misc/openssh
+	virtual/openssh
 "
 DEPEND="${RDEPEND}"
 
diff --git a/net-misc/scponly/scponly-4.8-r7.ebuild b/net-misc/scponly/scponly-4.8-r8.ebuild
index db5e7ae99a4f..7a1600c22c27 100644
--- a/net-misc/scponly/scponly-4.8-r7.ebuild
+++ b/net-misc/scponly/scponly-4.8-r8.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -19,7 +19,7 @@ REQUIRED_USE="
 
 RDEPEND="
 	sys-apps/sed
-	net-misc/openssh
+	virtual/openssh
 	chroot? ( acct-user/scponly acct-group/scponly )
 	quota? ( sys-fs/quota )
 	rsync? ( net-misc/rsync )
diff --git a/net-misc/sshpass/sshpass-1.09.ebuild b/net-misc/sshpass/sshpass-1.09-r1.ebuild
index 96550de1476d..d9bb7d1c42f9 100644
--- a/net-misc/sshpass/sshpass-1.09.ebuild
+++ b/net-misc/sshpass/sshpass-1.09-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -11,4 +11,4 @@ LICENSE="GPL-2"
 SLOT="0"
 KEYWORDS="amd64 ~arm arm64 ~ppc64 ~riscv x86 ~x64-macos"
 
-RDEPEND="net-misc/openssh"
+RDEPEND="virtual/openssh"
diff --git a/net-misc/x2goserver/x2goserver-4.1.0.3-r1.ebuild b/net-misc/x2goserver/x2goserver-4.1.0.3-r2.ebuild
index 78bc8c8e9fb2..9fefa7ac2dc3 100644
--- a/net-misc/x2goserver/x2goserver-4.1.0.3-r1.ebuild
+++ b/net-misc/x2goserver/x2goserver-4.1.0.3-r2.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -30,8 +30,8 @@ RDEPEND="acct-user/x2gouser
 	media-fonts/font-cursor-misc
 	media-fonts/font-misc-misc[nls]
 	>=net-misc/nx-3.5.99.14
-	net-misc/openssh
 	>=sys-apps/iproute2-4.3.0
+	virtual/openssh
 	x11-apps/xauth
 	x11-apps/xhost
 	x11-apps/xwininfo
diff --git a/net-misc/zssh/zssh-1.5c-r1.ebuild b/net-misc/zssh/zssh-1.5c-r2.ebuild
index 8f469edf927c..e63204a2c9bb 100644
--- a/net-misc/zssh/zssh-1.5c-r1.ebuild
+++ b/net-misc/zssh/zssh-1.5c-r2.ebuild
@@ -19,8 +19,8 @@ DEPEND="readline? (
 		sys-libs/readline:0
 	)"
 RDEPEND="${DEPEND}
-	net-misc/openssh
-	net-dialup/lrzsz"
+	net-dialup/lrzsz
+	virtual/openssh"
 
 src_prepare() {
 	eapply "${FILESDIR}/${PN}-1.5a-gentoo-include.diff"
diff --git a/net-print/sshlpr/sshlpr-1.ebuild b/net-print/sshlpr/sshlpr-1-r1.ebuild
index 1c32c9003523..99cf50d6b50f 100644
--- a/net-print/sshlpr/sshlpr-1.ebuild
+++ b/net-print/sshlpr/sshlpr-1-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2019 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -14,8 +14,8 @@ IUSE=""
 
 DEPEND="net-print/cups"
 RDEPEND="${DEPEND}
-	net-misc/openssh
-	sys-apps/shadow"
+	sys-apps/shadow
+	virtual/openssh"
 
 S="${WORKDIR}"
 
diff --git a/profiles/arch/sparc/package.use.mask b/profiles/arch/sparc/package.use.mask
index bcddd722f560..225bf789fd09 100644
--- a/profiles/arch/sparc/package.use.mask
+++ b/profiles/arch/sparc/package.use.mask
@@ -513,10 +513,6 @@ net-misc/modemmanager mbim
 # Missing keywords, bug #495250
 >=gnome-base/gnome-extra-apps-3.10 tracker
 
-# Raúl Porcel <armin76@gentoo.org> (2014-02-01)
-# Sigbuses
-net-misc/openssh hpn
-
 # Pacho Ramos <pacho@gentoo.org> (2014-01-19)
 # Missing keywords, bug #478254
 gnome-base/gnome classic extras
diff --git a/sys-auth/pam_ssh/pam_ssh-2.3.ebuild b/sys-auth/pam_ssh/pam_ssh-2.3-r1.ebuild
index 8279f8738cc1..d18636bda0c4 100644
--- a/sys-auth/pam_ssh/pam_ssh-2.3.ebuild
+++ b/sys-auth/pam_ssh/pam_ssh-2.3-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -18,7 +18,7 @@ DEPEND="sys-libs/pam
 	dev-libs/openssl:0="
 
 RDEPEND="${DEPEND}
-	net-misc/openssh"
+	virtual/openssh"
 
 PATCHES=(
 	# 503424#c5
diff --git a/sys-cluster/torque/torque-6.0.4-r2.ebuild b/sys-cluster/torque/torque-6.0.4-r4.ebuild
index b4fd6981da11..00bf710749ed 100644
--- a/sys-cluster/torque/torque-6.0.4-r2.ebuild
+++ b/sys-cluster/torque/torque-6.0.4-r4.ebuild
@@ -38,7 +38,7 @@ DEPEND="${DEPEND_COMMON}
 	!!sys-cluster/slurm"
 
 RDEPEND="${DEPEND_COMMON}
-	crypt? ( net-misc/openssh )
+	crypt? ( virtual/openssh )
 	!crypt? ( net-misc/netkit-rsh )
 	!dev-libs/uthash"
 
diff --git a/sys-cluster/torque/torque-6.0.4-r3.ebuild b/sys-cluster/torque/torque-6.0.4-r5.ebuild
index 268b518c340b..4148d1591d59 100644
--- a/sys-cluster/torque/torque-6.0.4-r3.ebuild
+++ b/sys-cluster/torque/torque-6.0.4-r5.ebuild
@@ -44,7 +44,7 @@ DEPEND="
 
 RDEPEND="
 	${DEPEND_COMMON}
-	crypt? ( net-misc/openssh )
+	crypt? ( virtual/openssh )
 	!crypt? ( net-misc/netkit-rsh )
 	!dev-libs/uthash
 "
diff --git a/sys-cluster/vzctl/vzctl-4.9.4.ebuild b/sys-cluster/vzctl/vzctl-4.9.4-r1.ebuild
index fc75cfa78c5f..78cbf1b65933 100644
--- a/sys-cluster/vzctl/vzctl-4.9.4.ebuild
+++ b/sys-cluster/vzctl/vzctl-4.9.4-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -30,11 +30,11 @@ RDEPEND="
 		sys-fs/quota
 	)
 	vzmigrate? (
+		app-alternatives/awk
 		app-arch/tar[xattr,acl]
-		net-misc/openssh
 		net-misc/rsync[xattr,acl]
 		net-misc/bridge-utils
-		app-alternatives/awk
+		virtual/openssh
 	)
 "
 DEPEND="${RDEPEND}"
diff --git a/sys-fabric/opensm/opensm-3.3.23-r1.ebuild b/sys-fabric/opensm/opensm-3.3.23-r2.ebuild
index b42297aa7112..b1d5ad37ce8b 100644
--- a/sys-fabric/opensm/opensm-3.3.23-r1.ebuild
+++ b/sys-fabric/opensm/opensm-3.3.23-r2.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
@@ -19,7 +19,7 @@ RDEPEND="${DEPEND}
 	selinux? ( sec-policy/selinux-opensm )
 	 tools? (
 		net-misc/iputils
-		net-misc/openssh
+		virtual/openssh
 	)"
 
 PATCHES=( "${FILESDIR}/${PN}-3.3.17-sldd.patch" )
diff --git a/sys-fabric/opensm/opensm-3.3.24.ebuild b/sys-fabric/opensm/opensm-3.3.24-r1.ebuild
index b4f1a52cb72b..3f0563f02f42 100644
--- a/sys-fabric/opensm/opensm-3.3.24.ebuild
+++ b/sys-fabric/opensm/opensm-3.3.24-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -19,7 +19,7 @@ RDEPEND="${DEPEND}
 	selinux? ( sec-policy/selinux-opensm )
 	 tools? (
 		net-misc/iputils
-		net-misc/openssh
+		virtual/openssh
 	)"
 
 PATCHES=( "${FILESDIR}"/${PN}-3.3.17-sldd.patch )
diff --git a/sys-kernel/dracut/dracut-057-r3.ebuild b/sys-kernel/dracut/dracut-057-r3.ebuild
index ce124a2b0cc8..f226bb26ec13 100644
--- a/sys-kernel/dracut/dracut-057-r3.ebuild
+++ b/sys-kernel/dracut/dracut-057-r3.ebuild
@@ -167,7 +167,7 @@ pkg_postinst() {
 	optfeature "Support NFS" net-fs/nfs-utils net-nds/rpcbind
 	optfeature \
 		"Install ssh and scp along with config files and specified keys" \
-		net-misc/openssh
+		virtual/openssh
 	optfeature "Enable logging with rsyslog" app-admin/rsyslog
 	optfeature \
 		"Enable rngd service to help generating entropy early during boot" \
diff --git a/sys-kernel/dracut/dracut-059.ebuild b/sys-kernel/dracut/dracut-059.ebuild
index 0701c7f85ce2..20f297121ad8 100644
--- a/sys-kernel/dracut/dracut-059.ebuild
+++ b/sys-kernel/dracut/dracut-059.ebuild
@@ -165,7 +165,7 @@ pkg_postinst() {
 	optfeature "Support NFS" net-fs/nfs-utils net-nds/rpcbind
 	optfeature \
 		"Install ssh and scp along with config files and specified keys" \
-		net-misc/openssh
+		virtual/openssh
 	optfeature "Enable logging with rsyslog" app-admin/rsyslog
 	optfeature \
 		"Enable rngd service to help generating entropy early during boot" \
diff --git a/sys-kernel/dracut/dracut-9999.ebuild b/sys-kernel/dracut/dracut-9999.ebuild
index d4f709bbb570..9e7be111f192 100644
--- a/sys-kernel/dracut/dracut-9999.ebuild
+++ b/sys-kernel/dracut/dracut-9999.ebuild
@@ -165,7 +165,7 @@ pkg_postinst() {
 	optfeature "Support NFS" net-fs/nfs-utils net-nds/rpcbind
 	optfeature \
 		"Install ssh and scp along with config files and specified keys" \
-		net-misc/openssh
+		virtual/openssh
 	optfeature "Enable logging with rsyslog" app-admin/rsyslog
 	optfeature \
 		"Enable rngd service to help generating entropy early during boot" \
diff --git a/virtual/openssh/metadata.xml b/virtual/openssh/metadata.xml
new file mode 100644
index 000000000000..de9d78424186
--- /dev/null
+++ b/virtual/openssh/metadata.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="project">
+		<email>base-system@gentoo.org</email>
+		<name>Gentoo Base System</name>
+	</maintainer>
+	<stabilize-allarches/>
+</pkgmetadata>
diff --git a/virtual/openssh/openssh-0.ebuild b/virtual/openssh/openssh-0.ebuild
new file mode 100644
index 000000000000..c1d8760ec113
--- /dev/null
+++ b/virtual/openssh/openssh-0.ebuild
@@ -0,0 +1,16 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="Virtual for net-misc/openssh and variants"
+
+SLOT="0"
+KEYWORDS="amd64 arm arm64 hppa ~ia64 ~loong ppc ppc64 ~riscv ~s390 sparc x86"
+IUSE="ssl"
+
+RDEPEND="
+	|| (
+		>=net-misc/openssh-9.3_p1-r1[ssl?]
+		>=net-misc/openssh-contrib-9.3_p1[ssl?]
+	)"
diff --git a/virtual/ssh/ssh-0-r1.ebuild b/virtual/ssh/ssh-0-r2.ebuild
index 1418327c32cd..f7f5c30c5beb 100644
--- a/virtual/ssh/ssh-0-r1.ebuild
+++ b/virtual/ssh/ssh-0-r2.ebuild
@@ -11,8 +11,8 @@ IUSE="minimal"
 
 RDEPEND="
 	minimal? (
-		|| ( net-misc/dropbear net-misc/openssh )
+		|| ( net-misc/dropbear virtual/openssh )
 	)
 	!minimal? (
-		|| ( net-misc/openssh net-misc/dropbear )
+		|| ( virtual/openssh net-misc/dropbear )
 	)"