Update net-misc/openssh-6.9_p1-r2 to select valid sandbox on x32, (temporarily) restore net-misc/openssh-6.6_p1-r1 as last stock ebuild still working on x32, remove stale ebuilds

20 files changed, 515 insertions, 1145 deletions

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 7d1b58c9..7b6bd861 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,40 +1,28 @@
 AUX openssh-4.7_p1-GSSAPI-dns.patch 4494 SHA256 88a08f349258d4be5b2faa838a89fe1aa0196502990b745ac0e3a70dda30a0d7 SHA512 4d00a9ed79f66b92502c3e5ee580523f63d7b3643fe1bd330ff97994acce527d4d285d38199cef66eddc0ef68afabf7b268abc60cba871bac5d2e99045d4ac11 WHIRLPOOL 2f118fd2f016c529dbc31e8f2b6b418931e6770ab02c28b7feeaba93e84e7fcd1c742f4420a43a9fec0bdfaa4d4bc7cf14fb860c0a56c68a30e7b136fb60bcdb
+AUX openssh-5.9_p1-sshd-gssapi-multihomed.patch 6622 SHA256 f5ae8419023d9e5f64c4273e43d60664d0079b5888ed999496038f295852e0ae SHA512 ffa45e97e585c8624792e039e7571b2bb5f38e4554de8bfc1d532f3348fa4a712ea1b6ca054e6a59ed1321a15cf1a9d3bdf3f399cec315346db89bae77abf57d WHIRLPOOL cc4871e3fb91a8075a13b5e49d7d3e0e83106bae0820ae3cf19d3427aad3d701b8f25b2cc2cc881a6315f8e5114fb82da9ca335acccb24afe221d66574fb7685
 AUX openssh-6.3_p1-x509-hpn14v2-glue.patch 1451 SHA256 d7179b3c16edd065977aaf56a410e2b9b237206fb619474f312972b430b73c8d SHA512 02577e3f718ff994bb4e962189f17048b4c03104d0a1981683f3c6a1d6d30701db368e132102c8396da2c0f5eb2f6602b26f32f74d19382af34bd9a93fc508f3 WHIRLPOOL b7d224d71634f380bd31b3a1dd3e588a29582255f717a6a308738ad58b485b693d827a53704479995ec2ebca53c9dc9b2113d8de52a1336b67ce83943f946b77
-AUX openssh-6.6.1_p1-x509-glue.patch 635 SHA256 381794bdfc4880da4411041ab1f795cba303644b0a35e88f0f452fca8c2bfbb8 SHA512 6d3adefc5449f812052221b69c588f9948e6116dd5c5644db4e0426264f06fd9a15f04364c2484ce03267f4a84b8806de7d7a7c9140538d73be9e7b50f4eeb47 WHIRLPOOL 823249e96f7175eef09f86dbcc67f6158c23f453eaa940a33c18a838389204cd3a43f5dccd39b6004e05cb05ea327d33be91c2ee1eb4525f13dc29e6943ea6b6
+AUX openssh-6.5_p1-hpn-cipher-align.patch 3024 SHA256 c79e3a201b2150e2fbc1e869233bac6acc27b2b126d4539cc09aa651fb2e60af SHA512 6efc2fa5f0e9b508e162bf20ab21d2c639888250387fa58ec0d812c7b1db125d8c654a0286a8ffc0d5530e5f0ec0ed723f3a5c0b7bd593b356aee2e811a1f4ec WHIRLPOOL 729c14b8d6f55d789ae2ea0e9cb2e0a4caba62dffced273de5c7254732e94673c1dc2d9e260d56e3a641e03ebab55d61c8ab7541fbf75957855b811def115677
+AUX openssh-6.6_p1-openssl-ignore-status.patch 741 SHA256 604b0a5365c1b01c9ab26bf1a60acfe43246e1e44e2f0e78d7ec1e47856599e4 SHA512 578afe9ddb836d16d90eb8b0cf10e9282d9c5c5e639962034490cec0aab1bf98cae9b46fe7850446d0cdd93e848d98ca7ed0bdf2bfec6aad418f4c962d4ea08d WHIRLPOOL d30c079eee59281aa87935ad948c59a4c01f858b88d701575d58737cfe555a5229a5f921bfebe34a69dcd15d2dc5efc062050d183ad5a90180aed4e5b3cdadf4
+AUX openssh-6.6_p1-x509-glue.patch 556 SHA256 b37b83b058ff9fb25742d202e0169afc204f135012624bb2811dcacfa9fb346b SHA512 e9535477fe4b0232d2a06edb9f73d8c50baa77ddcffd166624ea8352f298ad119622347c62c1d1e555318e9e6c7d981d2e9b03c388281b6347943861e8813aea WHIRLPOOL 4f01d975e598ce0fe2160e52dbd8251fd5cdf95880d1ef09b730457620f48038156d4bf21c0810978bfc65c9feb90cdfed97aa20018bc175759096dcd3a044d0
+AUX openssh-6.6_p1-x509-hpn14v4-glue-p2.patch 999 SHA256 748f7caa953028da111d6f18ba91652a4821bc9bca60f5d4a90a6501c0098853 SHA512 d1b3790fc164c803e81c803b9e19e0bc351d2b9f353edb1d3531139898b372731b46fab5974a084830b2bab889b06fa33ce23b7d941f7d61da073c1bbfc5ff51 WHIRLPOOL c1d674b8e1cdc48dd0d8b2e7c8bf8e68cec757578f1217555e37eda8723e83e93b2ce183462499ad2165723eca2350544f810a1d6ec95ce4537a527f7918f117
 AUX openssh-6.7_p1-openssl-ignore-status.patch 765 SHA256 b068cc30d4bce5c457cea78233396c9793864ec909f810dd0be87d913673433a SHA512 ab15d6dfdb8d59946684501f6f30ac0eb82676855b7b57f19f2027a7ada072f9062fcb96911111a50cfc3838492faddd282db381ec83d22462644ccddccf0ae7 WHIRLPOOL c0a4ff69d65eeb40c1ace8d5be6f8e59044a8f16dc6b37e87393e79ab80935abf30a9d2a6babc043aba0477f5f79412e1ae5d373daba580178fd85ca1f60e60b
-AUX openssh-6.7_p1-sctp-x509-glue.patch 1326 SHA256 42eb87eda1685e19add23c1304f17dabd99a1a38a57bfe2bfbb70ab85f6d385e SHA512 7f014e2b1893a5240680e2e14475d61b9b6047d1be3fe404d5971a899c122cc624546e9e5b31bfee5905cf7b4605a0871c3b00ed5c2bd28d84755a49392e1a69 WHIRLPOOL 8d6888163068dbc486bc4eff0dd7d4053f68b9848347eb520dd7d382b0b8c74e3016f7f3ed401c2c2dfd48e73a9077fb9777d39c0f236cc500c53393be426b42
-AUX openssh-6.7_p1-sshd-gssapi-multihomed.patch 5489 SHA256 d2a1735b523709a4b4ceaa57862ecb21a95656678bacc5b7da59dc46187ad997 SHA512 a8b8d2c2ab4520c8c7315f6130ee44fec48935a129ce7c7e51a068a4de2c7528980437246b61e4abc4cff614466f8054c554cdbaad4eb0d1f4afcfb434c30bbc WHIRLPOOL e4b97398c324360576a04792357f66be3ed9f17e4113f75275f8422ee0b7ecf28073c7cde01a63e24fa0901b14db822d22d7d2c5936bbee3bd5874a867066967
-AUX openssh-6.7_p1-x509-glue.patch 1633 SHA256 58031e90e0bf220028934ab590af6ccfc45722629b2416df13d84f10c9b94478 SHA512 364ca0280be5cc83d1dedf7727323fd5fc0093c6dbcf9cc8ccaa30ee754b866584be28da1166953f03faf8745d6364e33fad7daad9be9a29681a8674eb9d292b WHIRLPOOL b79a6cff897be78793bbf2ca03154103aa1380647b8c53e104155fd68122568a8e7dea23996213b192e4269f980b1035d3ca395dbd2c318fd81a45f44d110c31
-AUX openssh-6.7_p1-xmalloc-include.patch 390 SHA256 ea43a6a211d8cae4a078b748736f43d4a9d11804ace65886dec826b878dec28e SHA512 b51d9149418217828bdc53c234e248f8be1703b480ccf808814d37cd2589bccdbecff0046d2f2d0e4626420d0d4c2e02d25a9cc07ae31b365cd0b848ccc02035 WHIRLPOOL 04b298eb481fef585b055eb3d706cca55ad6efed6168246f0031e5f614085ae5e70cbb77717047d6c70d7d13a6846657e4a0089d4b8cdf5d9d05652ee22f7209
 AUX openssh-6.8_p1-sctp-x509-glue.patch 2937 SHA256 fe79e3e828f8599e7bad787c6e35bce5f6781a0875c56b250f0d7fde83e2f841 SHA512 776a4eab916ff64d255fb19dca26f0cb1cebb0a5d0c2dbcb40ecbf97b122fb20123532897fb962b27fae375c059ef0dc00c771bf47b67bd092a5ebb3f2252216 WHIRLPOOL c8126624b4be260f8fe40a4a9d7142b6f77ee15504e2d280c6429360ebbf53103974746d5746fe4b27edec6246f01afa1d921d1b5a2d46ae808e4bb41afbb181
-AUX openssh-6.8_p1-ssh-keygen-no-ssh1.patch 1209 SHA256 2ef08a14aab7d5c761670321ed6c66fb8e66c467625ce22448b2d1c020686b66 SHA512 1fae1c0b36b5e792861e83868d55de9e3df85270fda4aaf465c83e2deaf47045429f94c84d1abd270be4fc7519a42e3676839edda588322273e6ebd3ff37a570 WHIRLPOOL 93619f61208f86cc3857a5d2283343645614d7285b56f4585e073405e16c396272cb590e96225f09046de8fe918de5e1a81504385dda2ca3a0d467d0fdfde76f
-AUX openssh-6.8_p1-sshd-gssapi-multihomed.patch 5464 SHA256 5f3506f0d45c22de85cf170c7dfeff134a144ec94f9fc1c57c5b3b797ee82756 SHA512 7bfbf720af2728abb55f73b67609967f34da27fea9a9dd6e0293e486a03d7d1167f506623771792d782707bfe58b46c69675bb3c5ad83332b7a50ee748176fbc WHIRLPOOL 81432c4ba7e34d216d73f63945f3c8d52d9113c07fb1f7c3dd5b39ac96223d38d2321a6d6de21b58b29767576c2a779a5703fa2e5727cd3fe4981581e822155d
 AUX openssh-6.8_p1-ssl-engine-configure.patch 883 SHA256 c25d219d8baea01bde40dce34378d4f185b83968debded0b2d4e2035f6467530 SHA512 ce8c3362af9dd9d95174b8248b0e9c08463e6fa18d3e83bf01687756c2df77607674a95acd2930ee85994aa186b5229d93e32662e13caae0b45980fddc00e65e WHIRLPOOL d7f285e3317ddd797222a4d584da385a14fa5c7316b8002faa1005ae5129cb580abc9a70189470c0ff5feb0368de4b0b171596d1aa3705556037084c8eff3d34
-AUX openssh-6.8_p1-teraterm-hpn-glue.patch 536 SHA256 846aa1a470e27767103c8c390a3ed9087aeaffc1d2bf8d4f5779af6274dfbbc9 SHA512 26ebfa3e0c39ed62fc9eb81a95e47d2543714f731f0b983d8d79ff2b0c19ab1b0bf8f7ba13f360ec633bd1ee219da9a6b2a0027c72766188beb3a380fd6c3224 WHIRLPOOL 34ac035a9c059d72e94ff3efab763c8a50749b9497c644c7b4685e22295d0c517daaf4bfaace73deeb2d003bea1e53fd84c94bd67c3b89d1c1f085ef845bf486
-AUX openssh-6.8_p1-teraterm.patch 1814 SHA256 e73e938524f15c4dc3368e7ba6b7d74ee2e83a7f0e97ed5460787d7caad04be1 SHA512 f39134d2257d86c5bf128754f8c1024057b9b1882984d5d70b86d2676d761b4a16681e76ae3f47f3abd23a07a75b6ebde6652431d9a86d5c3b9745c36577b8dc WHIRLPOOL c7d4dc5f2843fb6bc462d733a841b52599a9d49b344dc0a6fa71348624060736c02489130ae16692c5e1619200c954278df73a3f1020a77fe8712f99b329faaa
+AUX openssh-6.9_p1-libseccomp.patch 7876 SHA256 5b2456aa88c2f077605b13e70aadc435a9b4383836538a866343a3e707f4654f SHA512 9158a7754e6e70523168fb2d30979ca007cb5d9c4247e4da8aaf6ecca84d0b677e2794d68d9927e5b31ab778d5c1a0a5be4a92f61cee2ab79bc4c55eddf09c25 WHIRLPOOL b3eeea3652b238db26d89695c3709425da20ffe199d2b9f31a52b13c1afb89314334ccb8e4d311692f5d16f8185b7600d39bb1dca8aa9d30476fde47e8ee7183
 AUX openssh-6.9_p1-x509-warnings.patch 904 SHA256 6a52292b024704c7793188a0fc066336ec5cc7c8297071b2993618a332292c00 SHA512 11ea56ce2a7b87d046d1458e30947dd7f09c8959197e7fbadb57aec46fbd6a0694a2bd05b69978b1f719da2560f19e14d9ea10f6eca6f5b211f335505edd8c2b WHIRLPOOL 22dc4e2144534e180075e90ffe240a07bbd915b27a150e07f0d75889ad7a9103f8d1e5d477320df2b0f40e18d8c33fd99ad3cde7695557b69014318f219dc8dd
-AUX sshd.confd 396 SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 SHA512 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 WHIRLPOOL 69f43e6192e009a4663d130f7e40ee8b13c6eb9cc7d960b5e0e22f5d477649c88806a9d219efef211f4346582c2bb51e40d230a8191e5953dbe08bfff976ae53
+AUX sshd.confd 389 SHA256 761146acca3bc9914f118416d5c40903169fec0e2cc0695543e88c850a50dc17 SHA512 b17f915b17401a8f8f53e098d29baf729df6635ef10945f125bbd1d0fff2a334be4d778c430aaa84e7c188da74e39b47a85703b2c91b1a51410b0f1f57ebc4fd WHIRLPOOL 0e3b88adbc09ca015463412ef71f17b762b6e16eed77b5e55d32fc296a7305533ce27d50ceb84f3531a3566f3c4251ee14cdcc63978a4df02c554db685ac9008
 AUX sshd.pam_include.2 156 SHA256 166136e27d653e0bf481a6ca79fecb7d9fa2fc3d597d041f97df595f65a8193c SHA512 d3f7e6ca8c9f2b5060ebccb259316bb59c9a7e158e8ef9466765a20db263a4043a590811f1a3ab072b718dbd70898bc69b77e0b19603d7f394b5ac1bd0a4a56c WHIRLPOOL ba7a0a8c3bb39c5fda69de34b822a19696398e0a8789211ac1faae787ee34f9639eb35efe29c67f874b5f9fe674742503e570f441c005974f4a0c93468b8970b
-AUX sshd.rc6.4 2215 SHA256 26cdcade999f3797016c8f894e27173e5ccee73cf6ec8de8ffcca468d7cd6379 SHA512 74eff8bbcd8f4f36ad3bd2ba7fd4ac1ac52a8427b45a8e8a5dcd4ba77cdb257f3aa0bb47187da6cde253194607bb88092a20ee4b8338e82a080b61742e14fe1c WHIRLPOOL 489aff1cc52855fd6d8b29a15524ac400479c364e1899bf1a4a44bb7a9c52ee9cd413efb6678273a55aa4da53110634101cefd2ac551a880652ffc3d3bfb0d09
+AUX sshd.rc6.4 2227 SHA256 7753d47e7719123192d33e327b002cbac2976b49b57957c5da82dff67070f761 SHA512 23e61a83ae0500eba10b799ef1ce71c53c631599c1d7082d81a11932e4355a30cf818ae41b8f4b1daca6a9c208c75f82d6b7b42d69b83920ebaec672adadc7e7 WHIRLPOOL 7229d63bebfe86fdba4daae36c4e597bde8e1469cc0389d126c71c05d2205c358a0e85c182daa70e9446696886f2b5dc71d14d2c6a948bf576bf26e3cb397fa9
 AUX sshd.service 242 SHA256 1351c43fe8287f61255ace9fa20790f770d69296b4dd31b0c583983d4cc59843 SHA512 77f50c85a2c944995a39819916eb860cfdc1aff90986e93282e669a0de73c287ecb92d550fd118cfcc8ab538eab677e0d103b23cd959b7e8d9801bc37250c39c WHIRLPOOL 0f5c48d709274c526ceee4f26e35dcb00816ffa9d6661acc1e4e462acb38c3c6108b0e87783eff9da1b1868127c5550c57a5a0a9d7270b927ac4b92191876989
 AUX sshd.socket 136 SHA256 c055abcd10c5d372119cbc3708661ddffccdee7a1de1282559c54d03e2f109d9 SHA512 4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42 WHIRLPOOL 102d87b708c31e5994e8005437c78b1aa756c6def4ee9ae2fa9be1438f328fc28c9152a4ff2528941be18f1311594490ecd98b66716ec74e970aa3725a98e2e5
 AUX sshd_at.service 176 SHA256 332f5ffc30456fe2494095c2aabd1e6e02075ce224e2d49708ac7ccf6d341998 SHA512 662a9c2668902633e6dbcb9435ac35bec3e224afdb2ab6a1df908618536ae9fc1958ba1d611e146c01fddb0c8f41eefdc26de78f45b7f165b1d6b2ee2f23be2a WHIRLPOOL aeb32351380dd674ef7a2e7b537f43116c189f7fddb8bdb8b2c109e9f62b0a73cc0f29f2d46270e658ab6409b8d3671ce9e0d0ba7c0d3674c2f85291a73e6df1
-DIST openssh-6.7_p1-sctp.patch.xz 7408 SHA256 b33e82309195f2a3f21a9fb14e6da2080b096dcf0d6f1c36c93cdeac683fdd59 SHA512 35da5e58f857e8b24e63b4058e946b71fdf0fecc637cb7af0ba8913869e5aadf8317805838936c84dc24421f03c5c91e1670761bed152fdf325c5a509f1b5d04 WHIRLPOOL cc7bace4aa60d720914e3a6a4ff650b7543d9e4963deab12c19cb5d798547b4fe547690946ff8955e121339e9a3d0ebe06f3ff758cca4bb81a09ac43fc877f58
-DIST openssh-6.7p1+x509-8.2.diff.gz 241798 SHA256 85acfcd560b40d4533b82a4e3f443b7137b377868bab424dacdf00581c83240f SHA512 d33ece7ddf382235b032875cf961845b308dc5e4cd1888cb68fee11c95066bb90938f9043cb9410f372efb578b61dfd5d50341da95a92fab5a4c209ac54e1f5e WHIRLPOOL b1fe2b88f0e77312099171f5c83dc670abc4c40d215fdff1e43161e44f806de9e0537cfa3a0001e1c7bbc0d0aed555079455f88b8ff313b00d8e9a19dabcb7d8
-DIST openssh-6.7p1-hpnssh14v5.tar.xz 25652 SHA256 7284db65548b6b04142930da86972f96b1f5aa8ad3fc125134412f904f369d7e SHA512 21929805f40c79684ee3ecdb2b495d3204dca90b932aa633c4e0f6a093a417259cdeee10b3e49f3dff426febc6792f45ee23cc0688f05bf047630f3016e0926a WHIRLPOOL 5515cd4c745b061a3e92ac03e8121fb3ffc4b2ff116140625ca7ab2c0211c673b6345e5b08134df8b1743e03f9964017e789e1f0b9da99a0fd5970e14665e681
-DIST openssh-6.7p1.tar.gz 1351367 SHA256 b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507 SHA512 2469dfcd289948374843311dd9e5f7e144ce1cebd4bfce0d387d0b75cb59f3e1af1b9ebf96bd4ab6407dfa77a013c5d25742971053e61cae2541054aeaca559d WHIRLPOOL ac8ce86d0f6c78c4cb3624b480f189f951d508db38b22d7a5550b7302d5277c1c7d18eaa713d52139abc0f77edacfdb03ced2603125e3ddf9bc09c69e6b70518
+DIST openssh-6.6p1+x509-7.9.diff.gz 224691 SHA256 463473f75c1dc250ea4eda21f2c79df6f0b479ea499d044cb51d73073881ca34 SHA512 dc9ee7f0589aa0ba8d3c1c40c505f99a811845d8952bf6bf6b8bd3a00ef4813f3b71db32aadf252d7a320a8bf9cdcdf30b71292869d7830cc42f15ce3d1f3c49 WHIRLPOOL 61158e0dac934d375758904382882e7cd276d076a95ba2be32d03f4a7c7969943bd8d63c269ff16ab78928d7c97465f6e417730be14b5efacf64a029e2f950d7
+DIST openssh-6.6p1-hpnssh14v4.diff.xz 20932 SHA256 16dcc68c399990ec0c801d421d022ceeae0e3aec1e6ffd3fecc5e2f4768cc91b SHA512 7900ccf5ba5fcef5e6f3ed1b3263ad348a4bf63879905bbf9ce5212af64c7f4dae396989c67361ef1b5dfaf97a2d340b3bf75bf37f206b9a18ebee5d84044e2d WHIRLPOOL 163ce9e319cef4dcaf6f38f42afc3b75c6e89c38b43c04189c64c72b4b58bc3f9d7042c7b67243879c87cbe410a607296917e94ff042df2c0a29f2ef82792774
+DIST openssh-6.6p1.tar.gz 1282502 SHA256 48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb SHA512 3d3566ed87649882702cad52db1adefebfb3ef788c9f77a493f99db7e9ca2e8edcde793dd426df7df0aed72a42a31c20a63ef51506111369d3a7c49e0bf6c82b WHIRLPOOL 8630c81481a813a92da9c302d22135fe519fcc4826a892080e5a15368d13a6b47947ef47d53aad0a34e6ea49ce4caccc8f06e8afc2c90db0402fbcc2184efe89
 DIST openssh-6.8_p1-sctp.patch.xz 7388 SHA256 2c74dd00aaae9f4de908d8e5685ae982779a5069996b98d55e8408eada739a19 SHA512 f93a1d27bc3e57a6d4fa717c9d5ece4f28196f8539cb2f2efc4285dce9a2e94a3f5a59d18fc01ea73a94e90630cee7621240455fce146f781cf7091a828f2db0 WHIRLPOOL 7fb3346c3444654988303ff2a941345c00412a8012d6d419c9e4f870ef4c3362f92a4020d7bff2dc5d1ff9e42cf7287c4346909f8db07154783d5359a73a7476
-DIST openssh-6.8_p1-x509-8.3.1-glue.patch.xz 141096 SHA256 1e8c911b1403e47a37c24d0ebbfa36d46204c06b38d93ed9ae6d2a0953d3bba6 SHA512 942f09f20d898b4865707b5b48012545d7f8171353427ddb773cffaf1b8c664f48375cb85292592ccba63da695e99def42d17c52a61bb93b89827f53cf3ad918 WHIRLPOOL 66ace7a191a562485ee144516912dee52c84fcfbe8b710b3429211cd9d849dc24d4419c5fa6fd3968f9ab250cf474a692db326c2ac3ef930081b8a5777875a73
-DIST openssh-6.8p1+x509-8.3.1.diff.gz 351502 SHA256 64d0b7cd428352a2d77d9decb02ec744eca4433bcb35288745859eb19ccf4fcf SHA512 6525b7ddae13752f145bda42fe6d65ec40a8c9d44766b749cf49ff904d6b1941e088e560c2a532a3dc0003ac1e29d56a28ea3ed1533ee5abcd696cd80ae88d8e WHIRLPOOL 32f45411d250b7c46f2408bfca6b12223e901fa15c27db449c06cd5b1ab7a0e853fffed5971ca635c5080d1796196a8661b8d1503bdcdb28d61e0d082f28590b
-DIST openssh-6.8p1-r5-hpnssh14v5.tar.xz 27240 SHA256 4fe25701ea8717e88bf2355a76fb5370819f927af99efba3e4f06fe3264fbf58 SHA512 29a2086c6bf868bb1c8d2601e1ac83a82de48ed9f9cf6a3762b3f899112d939507b563d0117b4bec87008dd0434e0735e4a4f8c779a64d719d3873224918d16c WHIRLPOOL a4f3e841530d08363c94dfb55911e79f130668e459dc2e1ebb477c14dcf7d3bd71ad63c55e0ff2ba80684e67a8f40867b0a9fd01aabe3fe1533ef604f84a76b3
-DIST openssh-6.8p1.tar.gz 1475953 SHA256 3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e SHA512 7c4457e4525a56cdabb1164ffaf6bed1c094294ae7d06dd3484dcffcd87738fcffe7019b6cae0032c254b0389832644522d5a9f2603b50637ffeb9999b5fcede WHIRLPOOL 3ac9cc4fe0b11ca66c0220618d0ef0c5925e5605d4d3d55c9579b708c478cf8613b7575fe213aba57054d97d3290baac4eba26b7a630d22477ec947f22327a5a
 DIST openssh-6.9p1+x509-8.4.diff.gz 425687 SHA256 0ed8bfff0d2ecd9f3791ae1f168ca3270bb66d7ab7bc0a8ff2d61d2ab829c3fb SHA512 596cb65408db06fb299b92160147685b001dc23929ecf5c4bd11a8b0475d79695c7b4dbe8a878d7fbcd944155935fd62a14e35c79204b39e413f5eaa961ef76c WHIRLPOOL 771fa0f4f6a20ed49ba201605fcdcbfc41a0f094ef4a89ca2433ee51b7c8bf99cc266f26bd7877c61ff92e9a50c7d65119ba75ba64eaa029bd567bab3ee243c2
-DIST openssh-6.9p1-hpnssh14v5.tar.xz 25164 SHA256 67c0b043525c838522d17ba8ed3ffa81aa212ae0f43c3d989a3e649fd0a2ca48 SHA512 bef32f6dd97e949e0973d30248401b86233ca66ace750c5050158a748fe279db46c8ee59b6f3de2193f52bab3a1c19372296b86136d7d65a312769008d0acf3a WHIRLPOOL 65241de2409bfe452b0bcf6282f0571a2bbf6d02d4d5cb97db78bd42e8be439c47da8a54d33272a85d50d648e2e4af56b574bc8add56c65e2ff9ccd59b90f65c
 DIST openssh-6.9p1-r1-hpnssh14v5.tar.xz 21396 SHA256 84e9e28a1488ccf66e29a7c90442b3bc4833a6fa186260fb6853b5a1b19c0beb SHA512 476064dbdb3d82b86ad7c481a4a301ff0d46bd281fe7ca0c29f34ae50b0034028760997ae2c934a265499c154f4534d35ead647aa63d1a4545ed503a5364eada WHIRLPOOL 74eaf2fe0a6ecd0e2fa5078034628d4c76c75b121f3c813ff8a098ab28363daa3800d03936046aa3aebbfdab3afd31ef30a207399f5e305d7f71e5f3c7e4f4a7
 DIST openssh-6.9p1.tar.gz 1487617 SHA256 6e074df538f357d440be6cf93dc581a21f22d39e236f217fcd8eacbb6c896cfe SHA512 68fec9b4e512fe126a5d35b01e2cc656d810b75052ed8a36bc85cd0a05de7318b15ed287bc95cf9bcb3fa2f385029151d85aced55e07fbcc79e6c779bee6751d WHIRLPOOL 1dcb291383c9f934b512f61ce9f6e0319f22e112ce3f6eace2a868ca0f99c709c65bae14a9815e2ef237f8132fe72c583cffb7ea20bdfa2aaa77cf347967be7f
-DIST openssh-lpk-6.7p1-0.3.14.patch.xz 16920 SHA256 0203e6e44e41d58ec46d1611d7efc985134e662bbee51632c29f43ae809003f0 SHA512 344ccde4a04aeb1500400f779e64b2d8a5ad2970de3c4c343ca9605758e22d3812ef5453cd3221b18ad74a9762583c62417879107e4e1dda1398a6a65bcd04b2 WHIRLPOOL 5b6beeb743d04deea70c8b471a328b5f056fd4651e1370c7882e5d12f54fa2170486dcd6f97aa8c58e80af9a2d4012e2dfbcf53185317976d309783ca8d6cf73
 DIST openssh-lpk-6.8p1-0.3.14.patch.xz 16940 SHA256 d5f048dc7e9d3fca085c152fc31306f1d8fa793e524c538295915b075ec085b0 SHA512 2470b6b46f8c7ac985f82d14b788a3eb81a468a1d5013cb7f89257d9dd78b6037e24bf54ac57b757db8ed1df24332d659cf918c11ea73592fd24a69c25a54081 WHIRLPOOL b041ee9e0efdf370686f11df4131ab5e5ffb2f11cc66c386a8223bf563c5b78ab9443f06e4adc2e506e440cdec9dc5b20f5972cd8d691d786d2f903bb49b947b
-EBUILD openssh-6.7_p1-r4.ebuild 10112 SHA256 d37d7a161bb8f9d782f4fe0936bc7c290eb1e8d4feae4a63b18c2d83b7062fba SHA512 712114d3e7169b65d35568e76d8d57a24215e339c1613863442f742d7e14ac9aa90c1d6a3d167e63b4636dcc9cd8ef954d89ad51ad4c5bac54d3ce916a8a6e6b WHIRLPOOL 5c05e6af6f1e9f891fbcc9e13f039a101957fdb06b910cf6cee55779b146ea9595141f48fa282214392152abe2970b762c07737e1280999f641b6e403414ed26
-EBUILD openssh-6.8_p1-r5.ebuild 10583 SHA256 fbf4e89f21e030a7ee32aee59658a5d36058e9efa91ed66cc795cde744e6f2c3 SHA512 e8045571d266053fc03c9109b5d001171ea58709e4be5f9cf0a32734134fa760d8677cca78641e32ac355aef629e7591d20c5a821e73f32f8612ae07882a8f3a WHIRLPOOL 1ae5025dc552517b87a498545594f6ba692979df67216fc676089938d5dd94c03ffb7f77c64d02781794e4e27b871fc27ba5f5059cbc4bd564ec75bf8e4fe6da
-EBUILD openssh-6.9_p1-r1.ebuild 10231 SHA256 4826e533a10026f823e0f169e88516196d32a556a78de93abd1256096d228f66 SHA512 7c77c26e2c2e3b1536f282305849dc4983375b784ca363af1f1e7870d170270e7dbbb2dfde4b6b105def0625685e13265ca21962eaad28451acc9d2054e4ca54 WHIRLPOOL 34361044f4b0f11beeb13adbdcb8606f2229116a9a16cedc05880ee99b8c7abdb4b677e3bef3504ff479535098e09680c9643bc9879b4a61c80e1f486d20901a
-EBUILD openssh-6.9_p1-r2.ebuild 9824 SHA256 1d87a54a735c40d4547d6342bca58da0e2db555abc47525fe909beb4f89c0c6e SHA512 bc424a6d1fd15e5597b48aec71b908e638fb6e348894986c75e741abadb19e77bf3bcd42a04b624206b6fb902279e2056f4568485b1fc4701581d6845ef47942 WHIRLPOOL 1e82d4988b91762863fedc85a57108f02cede191bf2ab8e3ada4053543a83f7b5755dff8bf72532d8cfb154519b824e7852c965d3a5b96dd682be5faa12b4678
+EBUILD openssh-6.6_p1-r1.ebuild 9903 SHA256 76b4ed72c9f1dfc6e8d91772008f26964cdda9f2eaa48a720819186f417375b3 SHA512 876dbbe41841c73a2c8676724a2539065346677992010858f4309d5543bb733d5a4a924873e71a6f0efc7aade0fcb7f048af988a1c9cf264f4e3b3d64b1eba80 WHIRLPOOL 431d60c660b8d1c064474239c923be24d933baa185e087f3adc0ef66da52fd2c332854c7bf790e0b49135e4bf52807404c8dd1e51816cc73e76d8a6e8633fcfe
+EBUILD openssh-6.9_p1-r2.ebuild 10613 SHA256 a8e5e349a8cba5c6b57edebf8660bfe1faed8acf2c9bca0e252c6ed3bfc47f86 SHA512 ae405c0f71f9ff3ad6d726ca54c4643adade3323c85080c128e2f1582df169ef673e7860d514ef9cca0b5810d1a6c65ea637b1c4be96b47976f4988b89ffd0cf WHIRLPOOL 8de1648498cd38ea751463f8ac5688a797c207331c6405f952e57955f3535a9e2217415df4d6d1e4f88a9ef8527969c23ffa7935efdfafbedde5fcbc1d17409a
diff --git a/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch
index 96818e42..6377d036 100644
--- a/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch
+++ b/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch
@@ -1,8 +1,10 @@
-https://bugs.gentoo.org/378361
-https://bugzilla.mindrot.org/show_bug.cgi?id=928
-
---- a/gss-serv.c
-+++ b/gss-serv.c
+Index: gss-serv.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/gss-serv.c,v
+retrieving revision 1.22
+diff -u -p -r1.22 gss-serv.c
+--- gss-serv.c	8 May 2008 12:02:23 -0000	1.22
++++ gss-serv.c	11 Jan 2010 05:38:29 -0000
 @@ -41,9 +41,12 @@
  #include "channels.h"
  #include "session.h"
@@ -17,13 +19,13 @@ https://bugzilla.mindrot.org/show_bug.cgi?id=928
      { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
      GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
 @@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
- 	char lname[NI_MAXHOST];
+ 	char lname[MAXHOSTNAMELEN];
  	gss_OID_set oidset;
  
 -	gss_create_empty_oid_set(&status, &oidset);
 -	gss_add_oid_set_member(&status, ctx->oid, &oidset);
 -
--	if (gethostname(lname, sizeof(lname))) {
+-	if (gethostname(lname, MAXHOSTNAMELEN)) {
 -		gss_release_oid_set(&status, &oidset);
 -		return (-1);
 -	}
@@ -64,8 +66,13 @@ https://bugzilla.mindrot.org/show_bug.cgi?id=928
  }
  
  /* Privileged */
---- a/servconf.c
-+++ b/servconf.c
+Index: servconf.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
+retrieving revision 1.201
+diff -u -p -r1.201 servconf.c
+--- servconf.c	10 Jan 2010 03:51:17 -0000	1.201
++++ servconf.c	11 Jan 2010 05:34:56 -0000
 @@ -86,6 +86,7 @@ initialize_server_options(ServerOptions 
  	options->kerberos_get_afs_token = -1;
  	options->gss_authentication=-1;
@@ -116,8 +123,13 @@ https://bugzilla.mindrot.org/show_bug.cgi?id=928
  		goto parse_flag;
  
  	case sPasswordAuthentication:
---- a/servconf.h
-+++ b/servconf.h
+Index: servconf.h
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/servconf.h,v
+retrieving revision 1.89
+diff -u -p -r1.89 servconf.h
+--- servconf.h	9 Jan 2010 23:04:13 -0000	1.89
++++ servconf.h	11 Jan 2010 05:32:28 -0000
 @@ -92,6 +92,7 @@ typedef struct {
  						 * authenticated with Kerberos. */
  	int     gss_authentication;	/* If true, permit GSSAPI authentication */
@@ -126,8 +138,13 @@ https://bugzilla.mindrot.org/show_bug.cgi?id=928
  	int     password_authentication;	/* If true, permit password
  						 * authentication. */
  	int     kbd_interactive_authentication;	/* If true, permit */
---- a/sshd_config
-+++ b/sshd_config
+Index: sshd_config
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/sshd_config,v
+retrieving revision 1.81
+diff -u -p -r1.81 sshd_config
+--- sshd_config	8 Oct 2009 14:03:41 -0000	1.81
++++ sshd_config	11 Jan 2010 05:32:28 -0000
 @@ -69,6 +69,7 @@
  # GSSAPI options
  #GSSAPIAuthentication no
@@ -136,8 +153,13 @@ https://bugzilla.mindrot.org/show_bug.cgi?id=928
  
  # Set this to 'yes' to enable PAM authentication, account processing, 
  # and session processing. If this is enabled, PAM authentication will 
---- a/sshd_config.5
-+++ b/sshd_config.5
+Index: sshd_config.5
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
+retrieving revision 1.116
+diff -u -p -r1.116 sshd_config.5
+--- sshd_config.5	9 Jan 2010 23:04:13 -0000	1.116
++++ sshd_config.5	11 Jan 2010 05:37:20 -0000
 @@ -386,6 +386,21 @@ on logout.
  The default is
  .Dq yes .
diff --git a/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch b/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch
new file mode 100644
index 00000000..cfb060fd
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch
@@ -0,0 +1,114 @@
+https://bugs.gentoo.org/498632
+
+make sure we do not use unaligned loads/stores as some arches really hate that.
+
+--- a/cipher-ctr-mt.c
++++ b/cipher-ctr-mt.c
+@@ -58,8 +58,16 @@
+ /* Collect thread stats and print at cancellation when in debug mode */
+ /* #define CIPHER_THREAD_STATS */
+ 
+-/* Use single-byte XOR instead of 8-byte XOR */
+-/* #define CIPHER_BYTE_XOR */
++/* Can the system do unaligned loads natively? */
++#if defined(__aarch64__) || \
++    defined(__i386__)    || \
++    defined(__powerpc__) || \
++    defined(__x86_64__)
++# define CIPHER_UNALIGNED_OK
++#endif
++#if defined(__SIZEOF_INT128__)
++# define CIPHER_INT128_OK
++#endif
+ /*-------------------- END TUNABLES --------------------*/
+ 
+ 
+@@ -285,8 +293,20 @@ thread_loop(void *x)
+ 
+ static int
+ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
+-    u_int len)
++    size_t len)
+ {
++	typedef union {
++#ifdef CIPHER_INT128_OK
++		__uint128_t *u128;
++#endif
++		uint64_t *u64;
++		uint32_t *u32;
++		uint8_t *u8;
++		const uint8_t *cu8;
++		uintptr_t u;
++	} ptrs_t;
++	ptrs_t destp, srcp, bufp;
++	uintptr_t align;
+ 	struct ssh_aes_ctr_ctx *c;
+ 	struct kq *q, *oldq;
+ 	int ridx;
+@@ -301,35 +321,41 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
+ 	ridx = c->ridx;
+ 
+ 	/* src already padded to block multiple */
++	srcp.cu8 = src;
++	destp.u8 = dest;
+ 	while (len > 0) {
+ 		buf = q->keys[ridx];
++		bufp.u8 = buf;
+ 
+-#ifdef CIPHER_BYTE_XOR
+-		dest[0] = src[0] ^ buf[0];
+-		dest[1] = src[1] ^ buf[1];
+-		dest[2] = src[2] ^ buf[2];
+-		dest[3] = src[3] ^ buf[3];
+-		dest[4] = src[4] ^ buf[4];
+-		dest[5] = src[5] ^ buf[5];
+-		dest[6] = src[6] ^ buf[6];
+-		dest[7] = src[7] ^ buf[7];
+-		dest[8] = src[8] ^ buf[8];
+-		dest[9] = src[9] ^ buf[9];
+-		dest[10] = src[10] ^ buf[10];
+-		dest[11] = src[11] ^ buf[11];
+-		dest[12] = src[12] ^ buf[12];
+-		dest[13] = src[13] ^ buf[13];
+-		dest[14] = src[14] ^ buf[14];
+-		dest[15] = src[15] ^ buf[15];
+-#else
+-		*(uint64_t *)dest = *(uint64_t *)src ^ *(uint64_t *)buf;
+-		*(uint64_t *)(dest + 8) = *(uint64_t *)(src + 8) ^
+-						*(uint64_t *)(buf + 8);
+-#endif
++		/* figure out the alignment on the fly */
++#ifdef CIPHER_UNALIGNED_OK
++		align = 0;
++#else
++		align = destp.u | srcp.u | bufp.u;
++#endif
++
++#ifdef CIPHER_INT128_OK
++		if ((align & 0xf) == 0) {
++			destp.u128[0] = srcp.u128[0] ^ bufp.u128[0];
++		} else
++#endif
++		if ((align & 0x7) == 0) {
++			destp.u64[0] = srcp.u64[0] ^ bufp.u64[0];
++			destp.u64[1] = srcp.u64[1] ^ bufp.u64[1];
++		} else if ((align & 0x3) == 0) {
++			destp.u32[0] = srcp.u32[0] ^ bufp.u32[0];
++			destp.u32[1] = srcp.u32[1] ^ bufp.u32[1];
++			destp.u32[2] = srcp.u32[2] ^ bufp.u32[2];
++			destp.u32[3] = srcp.u32[3] ^ bufp.u32[3];
++		} else {
++			size_t i;
++			for (i = 0; i < AES_BLOCK_SIZE; ++i)
++				dest[i] = src[i] ^ buf[i];
++		}
+ 
+-		dest += 16;
+-		src += 16;
+-		len -= 16;
++		destp.u += AES_BLOCK_SIZE;
++		srcp.u += AES_BLOCK_SIZE;
++		len -= AES_BLOCK_SIZE;
+ 		ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE);
+ 
+ 		/* Increment read index, switch queues on rollover */
diff --git a/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch
new file mode 100644
index 00000000..6db6b97d
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch
@@ -0,0 +1,17 @@
+the last nibble of the openssl version represents the status.  that is,
+whether it is a beta or release.  when it comes to version checks in
+openssh, this component does not matter, so ignore it.
+
+https://bugzilla.mindrot.org/show_bug.cgi?id=2212
+
+--- a/entropy.c
++++ b/entropy.c
+@@ -216,7 +216,7 @@ seed_rng(void)
+ 	 * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
+ 	 * within a patch series.
+ 	 */
+-	u_long version_mask = SSLeay() >= 0x1000000f ?  ~0xffff0L : ~0xff0L;
++	u_long version_mask = SSLeay() >= 0x1000000f ?  ~0xfffffL : ~0xff0L;
+ 	if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||
+ 	    (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12))
+ 		fatal("OpenSSL version mismatch. Built against %lx, you "
diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch
index 2a34ee96..0ba3e456 100644
--- a/net-misc/openssh/files/openssh-6.6.1_p1-x509-glue.patch
+++ b/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch
@@ -1,14 +1,13 @@
 Make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch.
 
---- openssh-6.6p1+x509-8.0.diff
-+++ openssh-6.6p1+x509-8.0.diff
-@@ -16337,10 +16337,10 @@
+--- openssh-6.6p1+x509-7.9.diff
++++ openssh-6.6p1+x509-7.9.diff
+@@ -15473,10 +15473,9 @@
   .It Cm ChallengeResponseAuthentication
   Specifies whether challenge-response authentication is allowed (e.g. via
   PAM or though authentication styles supported in
 -@@ -499,6 +576,16 @@
-+@@ -514,6 +591,16 @@
-+ This facility is provided to assist with operation on multi homed machines.
++@@ -499,5 +576,15 @@
   The default is
   .Dq yes .
 - Note that this option applies to protocol version 2 only.
diff --git a/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch b/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch
new file mode 100644
index 00000000..a69830e0
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch
@@ -0,0 +1,26 @@
+make the hpn patch apply when the x509 patch has also been applied
+
+--- openssh-6.6p1-hpnssh14v4.diff
++++ openssh-6.6p1-hpnssh14v4.diff
+@@ -1742,18 +1742,14 @@
+  	if (options->ip_qos_interactive == -1)
+  		options->ip_qos_interactive = IPTOS_LOWDELAY;
+  	if (options->ip_qos_bulk == -1)
+-@@ -345,9 +393,10 @@
++@@ -345,6 +393,7 @@
+  	sUsePrivilegeSeparation, sAllowAgentForwarding,
+  	sHostCertificate,
+  	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+-+	sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
+++	sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled,
+  	sKexAlgorithms, sIPQoS, sVersionAddendum,
+  	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
+--	sAuthenticationMethods, sHostKeyAgent,
+-+	sAuthenticationMethods, sNoneEnabled, sHostKeyAgent,
+- 	sDeprecated, sUnsupported
+- } ServerOpCodes;
+- 
++ 	sAuthenticationMethods, sHostKeyAgent,
+ @@ -468,6 +517,10 @@
+  	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
+  	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
diff --git a/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch
deleted file mode 100644
index bd0b7ce1..00000000
--- a/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch
+++ /dev/null
@@ -1,42 +0,0 @@
---- openssh-6.7_p1-sctp.patch.orig	2014-11-24 10:34:31.817538707 -0800
-+++ openssh-6.7_p1-sctp.patch	2014-11-24 10:38:52.744990154 -0800
-@@ -195,14 +195,6 @@
-  .Op Fl c Ar cipher
-  .Op Fl F Ar ssh_config
-  .Op Fl i Ar identity_file
--@@ -178,6 +178,7 @@ For full details of the options listed b
-- .It ServerAliveCountMax
-- .It StrictHostKeyChecking
-- .It TCPKeepAlive
--+.It Transport
-- .It UsePrivilegedPort
-- .It User
-- .It UserKnownHostsFile
- @@ -218,6 +219,8 @@ and
-  to print debugging messages about their progress.
-  This is helpful in
-@@ -482,14 +474,6 @@
-  .Op Fl b Ar bind_address
-  .Op Fl c Ar cipher_spec
-  .Op Fl D Oo Ar bind_address : Oc Ns Ar port
--@@ -473,6 +473,7 @@ For full details of the options listed b
-- .It StreamLocalBindUnlink
-- .It StrictHostKeyChecking
-- .It TCPKeepAlive
--+.It Transport
-- .It Tunnel
-- .It TunnelDevice
-- .It UsePrivilegedPort
- @@ -665,6 +666,8 @@ Trusted X11 forwardings are not subjecte
-  controls.
-  .It Fl y
-@@ -527,7 +511,7 @@
--  again:
-+
- -	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
- +	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
-- 	    "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
-+ 	    "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
-  		switch (opt) {
-  		case '1':
- @@ -732,6 +738,11 @@ main(int ac, char **av)
diff --git a/net-misc/openssh/files/openssh-6.7_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.7_p1-x509-glue.patch
deleted file mode 100644
index 71b9c517..00000000
--- a/net-misc/openssh/files/openssh-6.7_p1-x509-glue.patch
+++ /dev/null
@@ -1,46 +0,0 @@
---- openssh-6.7p1.orig/sshd_config.5	2014-11-24 10:24:29.356244415 -0800
-+++ openssh-6.7p1/sshd_config.5	2014-11-24 10:23:49.415029039 -0800
-@@ -610,21 +610,6 @@
- The default is
- .Dq yes .
- Note that this option applies to protocol version 2 only.
--.It Cm GSSAPIStrictAcceptorCheck
--Determines whether to be strict about the identity of the GSSAPI acceptor
--a client authenticates against.
--If set to
--.Dq yes
--then the client must authenticate against the
--.Pa host
--service on the current hostname.
--If set to
--.Dq no
--then the client may authenticate against any service key stored in the
--machine's default store.
--This facility is provided to assist with operation on multi homed machines.
--The default is
--.Dq yes .
- .It Cm HostbasedAuthentication
- Specifies whether rhosts or /etc/hosts.equiv authentication together
- with successful public key client host authentication is allowed
-@@ -651,6 +636,21 @@
- attempting to resolve the name from the TCP connection itself.
- The default is
- .Dq no .
-+.It Cm GSSAPIStrictAcceptorCheck
-+Determines whether to be strict about the identity of the GSSAPI acceptor
-+a client authenticates against.
-+If set to
-+.Dq yes
-+then the client must authenticate against the
-+.Pa host
-+service on the current hostname.
-+If set to
-+.Dq no
-+then the client may authenticate against any service key stored in the
-+machine's default store.
-+This facility is provided to assist with operation on multi homed machines.
-+The default is
-+.Dq yes .
- .It Cm HostCertificate
- Specifies a file containing a public host certificate.
- The certificate's public key must match a private host key already specified
diff --git a/net-misc/openssh/files/openssh-6.7_p1-xmalloc-include.patch b/net-misc/openssh/files/openssh-6.7_p1-xmalloc-include.patch
deleted file mode 100644
index 170031da..00000000
--- a/net-misc/openssh/files/openssh-6.7_p1-xmalloc-include.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -ur openssh-6.7p1.orig/ssh-rsa.c openssh-6.7p1/ssh-rsa.c
---- openssh-6.7p1.orig/ssh-rsa.c	2015-02-24 14:52:54.512197868 -0800
-+++ openssh-6.7p1/ssh-rsa.c	2015-02-27 11:48:54.173951646 -0800
-@@ -34,6 +34,7 @@
- #include "sshkey.h"
- #include "digest.h"
- #include "evp-compat.h"
-+#include "xmalloc.h"
- 
- /*NOTE: Do not define USE_LEGACY_RSA_... if build
-   is with FIPS capable OpenSSL */
diff --git a/net-misc/openssh/files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch b/net-misc/openssh/files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch
deleted file mode 100644
index e14a728f..00000000
--- a/net-misc/openssh/files/openssh-6.8_p1-ssh-keygen-no-ssh1.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-https://bugs.gentoo.org/544078
-https://bugzilla.mindrot.org/show_bug.cgi?id=2369
-
-From 117c961c8d1f0537973df5a6a937389b4b7b61b4 Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Mon, 23 Mar 2015 06:06:38 +0000
-Subject: [PATCH] upstream commit
-
-for ssh-keygen -A, don't try (and fail) to generate ssh
- v.1 keys when compiled without SSH1 support RSA/DSA/ECDSA keys when compiled
- without OpenSSL based on patch by Mike Frysinger; bz#2369
----
- ssh-keygen.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index a3c2362..96dd8b4 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -948,12 +948,16 @@ do_gen_all_hostkeys(struct passwd *pw)
- 		char *key_type_display;
- 		char *path;
- 	} key_types[] = {
-+#ifdef WITH_OPENSSL
-+#ifdef WITH_SSH1
- 		{ "rsa1", "RSA1", _PATH_HOST_KEY_FILE },
-+#endif /* WITH_SSH1 */
- 		{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
- 		{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
- #ifdef OPENSSL_HAS_ECC
- 		{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
--#endif
-+#endif /* OPENSSL_HAS_ECC */
-+#endif /* WITH_OPENSSL */
- 		{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
- 		{ NULL, NULL, NULL }
- 	};
--- 
-2.3.3
-
diff --git a/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch
deleted file mode 100644
index 48fce1e2..00000000
--- a/net-misc/openssh/files/openssh-6.8_p1-sshd-gssapi-multihomed.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-https://bugs.gentoo.org/378361
-https://bugzilla.mindrot.org/show_bug.cgi?id=928
-
---- a/gss-serv.c
-+++ b/gss-serv.c
-@@ -41,9 +41,12 @@
- #include "channels.h"
- #include "session.h"
- #include "misc.h"
-+#include "servconf.h"
- 
- #include "ssh-gss.h"
- 
-+extern ServerOptions options;
-+
- static ssh_gssapi_client gssapi_client =
-     { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
-     GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
-@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
- 	char lname[NI_MAXHOST];
- 	gss_OID_set oidset;
- 
--	gss_create_empty_oid_set(&status, &oidset);
--	gss_add_oid_set_member(&status, ctx->oid, &oidset);
--
--	if (gethostname(lname, sizeof(lname))) {
--		gss_release_oid_set(&status, &oidset);
--		return (-1);
--	}
-+	if (options.gss_strict_acceptor) {
-+		gss_create_empty_oid_set(&status, &oidset);
-+		gss_add_oid_set_member(&status, ctx->oid, &oidset);
-+
-+		if (gethostname(lname, MAXHOSTNAMELEN)) {
-+			gss_release_oid_set(&status, &oidset);
-+			return (-1);
-+		}
-+
-+		if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
-+			gss_release_oid_set(&status, &oidset);
-+			return (ctx->major);
-+		}
-+
-+		if ((ctx->major = gss_acquire_cred(&ctx->minor,
-+		    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
-+		    NULL, NULL)))
-+			ssh_gssapi_error(ctx);
- 
--	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
- 		gss_release_oid_set(&status, &oidset);
- 		return (ctx->major);
-+	} else {
-+		ctx->name = GSS_C_NO_NAME;
-+		ctx->creds = GSS_C_NO_CREDENTIAL;
- 	}
--
--	if ((ctx->major = gss_acquire_cred(&ctx->minor,
--	    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
--		ssh_gssapi_error(ctx);
--
--	gss_release_oid_set(&status, &oidset);
--	return (ctx->major);
-+	return GSS_S_COMPLETE;
- }
- 
- /* Privileged */
---- a/servconf.c
-+++ b/servconf.c
-@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions 
- 	options->kerberos_get_afs_token = -1;
- 	options->gss_authentication=-1;
- 	options->gss_cleanup_creds = -1;
-+	options->gss_strict_acceptor = -1;
- 	options->password_authentication = -1;
- 	options->kbd_interactive_authentication = -1;
- 	options->challenge_response_authentication = -1;
-@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption
- 		options->gss_authentication = 0;
- 	if (options->gss_cleanup_creds == -1)
- 		options->gss_cleanup_creds = 1;
-+	if (options->gss_strict_acceptor == -1)
-+		options->gss_strict_acceptor = 0;
- 	if (options->password_authentication == -1)
- 		options->password_authentication = 1;
- 	if (options->kbd_interactive_authentication == -1)
-@@ -277,7 +280,8 @@ typedef enum {
- 	sBanner, sUseDNS, sHostbasedAuthentication,
- 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
- 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
--	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
-+	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
-+	sAcceptEnv, sPermitTunnel,
- 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
- 	sUsePrivilegeSeparation, sAllowAgentForwarding,
- 	sHostCertificate,
-@@ -327,9 +331,11 @@ static struct {
- #ifdef GSSAPI
- 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
- 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
-+	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
- #else
- 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
- 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
-+	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
- #endif
- 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
- 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions
- 
- 	case sGssCleanupCreds:
- 		intptr = &options->gss_cleanup_creds;
-+		goto parse_flag;
-+
-+	case sGssStrictAcceptor:
-+		intptr = &options->gss_strict_acceptor;
- 		goto parse_flag;
- 
- 	case sPasswordAuthentication:
---- a/servconf.h
-+++ b/servconf.h
-@@ -92,6 +92,7 @@ typedef struct {
- 						 * authenticated with Kerberos. */
- 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
- 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
-+	int     gss_strict_acceptor;	/* If true, restrict the GSSAPI acceptor name */
- 	int     password_authentication;	/* If true, permit password
- 						 * authentication. */
- 	int     kbd_interactive_authentication;	/* If true, permit */
---- a/sshd_config
-+++ b/sshd_config
-@@ -69,6 +69,7 @@
- # GSSAPI options
- #GSSAPIAuthentication no
- #GSSAPICleanupCredentials yes
-+#GSSAPIStrictAcceptorCheck yes
- 
- # Set this to 'yes' to enable PAM authentication, account processing,
- # and session processing. If this is enabled, PAM authentication will
---- a/sshd_config.5
-+++ b/sshd_config.5
-@@ -386,6 +386,21 @@ on logout.
- The default is
- .Dq yes .
- Note that this option applies to protocol version 2 only.
-+.It Cm GSSAPIStrictAcceptorCheck
-+Determines whether to be strict about the identity of the GSSAPI acceptor
-+a client authenticates against.
-+If set to
-+.Dq yes
-+then the client must authenticate against the
-+.Pa host
-+service on the current hostname.
-+If set to
-+.Dq no
-+then the client may authenticate against any service key stored in the
-+machine's default store.
-+This facility is provided to assist with operation on multi homed machines.
-+The default is
-+.Dq yes .
- .It Cm HostbasedAcceptedKeyTypes
- Specifies the key types that will be accepted for hostbased authentication
- as a comma-separated pattern list.
diff --git a/net-misc/openssh/files/openssh-6.8_p1-teraterm-hpn-glue.patch b/net-misc/openssh/files/openssh-6.8_p1-teraterm-hpn-glue.patch
deleted file mode 100644
index e72b1e6b..00000000
--- a/net-misc/openssh/files/openssh-6.8_p1-teraterm-hpn-glue.patch
+++ /dev/null
@@ -1,15 +0,0 @@
---- a/0005-support-dynamically-sized-receive-buffers.patch
-+++ b/0005-support-dynamically-sized-receive-buffers.patch
-@@ -411,10 +411,10 @@ index af2f007..41b782b 100644
- --- a/compat.h
- +++ b/compat.h
- @@ -60,6 +60,7 @@
-- #define SSH_NEW_OPENSSH		0x04000000
-  #define SSH_BUG_DYNAMIC_RPORT	0x08000000
-  #define SSH_BUG_CURVE25519PAD	0x10000000
--+#define SSH_BUG_LARGEWINDOW	0x20000000
-+ #define SSH_BUG_HOSTKEYS	0x20000000
-++#define SSH_BUG_LARGEWINDOW	0x40000000
-  
-  void     enable_compat13(void);
-  void     enable_compat20(void);
diff --git a/net-misc/openssh/files/openssh-6.8_p1-teraterm.patch b/net-misc/openssh/files/openssh-6.8_p1-teraterm.patch
deleted file mode 100644
index f99e92f2..00000000
--- a/net-misc/openssh/files/openssh-6.8_p1-teraterm.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-https://bugs.gentoo.org/547944
-
-From d8f391caef62378463a0e6b36f940170dadfe605 Mon Sep 17 00:00:00 2001
-From: "dtucker@openbsd.org" <dtucker@openbsd.org>
-Date: Fri, 10 Apr 2015 05:16:50 +0000
-Subject: [PATCH] upstream commit
-
-Don't send hostkey advertisments
- (hostkeys-00@openssh.com) to current versions of Tera Term as they can't
- handle them.  Newer versions should be OK.  Patch from Bryan Drewery and
- IWAMOTO Kouichi, ok djm@
----
- compat.c | 13 ++++++++++++-
- compat.h |  3 ++-
- sshd.c   |  6 +++++-
- 3 files changed, 19 insertions(+), 3 deletions(-)
-
-diff --git a/compat.c b/compat.c
-index 2498168..0934de9 100644
---- a/compat.c
-+++ b/compat.c
-@@ -167,6 +167,17 @@ compat_datafellows(const char *version)
- 					SSH_BUG_SCANNER },
- 		{ "Probe-*",
- 					SSH_BUG_PROBE },
-+		{ "TeraTerm SSH*,"
-+		  "TTSSH/1.5.*,"
-+		  "TTSSH/2.1*,"
-+		  "TTSSH/2.2*,"
-+		  "TTSSH/2.3*,"
-+		  "TTSSH/2.4*,"
-+		  "TTSSH/2.5*,"
-+		  "TTSSH/2.6*,"
-+		  "TTSSH/2.70*,"
-+		  "TTSSH/2.71*,"
-+		  "TTSSH/2.72*",	SSH_BUG_HOSTKEYS },
- 		{ NULL,			0 }
- 	};
- 
-diff --git a/compat.h b/compat.h
-index af2f007..83507f0 100644
---- a/compat.h
-+++ b/compat.h
-@@ -60,6 +60,7 @@
- #define SSH_NEW_OPENSSH		0x04000000
- #define SSH_BUG_DYNAMIC_RPORT	0x08000000
- #define SSH_BUG_CURVE25519PAD	0x10000000
-+#define SSH_BUG_HOSTKEYS	0x20000000
- 
- void     enable_compat13(void);
- void     enable_compat20(void);
-diff --git a/sshd.c b/sshd.c
-index 6aa17fa..60b0cd4 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -928,6 +928,10 @@ notify_hostkeys(struct ssh *ssh)
- 	int i, nkeys, r;
- 	char *fp;
- 
-+	/* Some clients cannot cope with the hostkeys message, skip those. */
-+	if (datafellows & SSH_BUG_HOSTKEYS)
-+		return;
-+
- 	if ((buf = sshbuf_new()) == NULL)
- 		fatal("%s: sshbuf_new", __func__);
- 	for (i = nkeys = 0; i < options.num_host_key_files; i++) {
--- 
-2.3.6
-
diff --git a/net-misc/openssh/files/openssh-6.9_p1-libseccomp.patch b/net-misc/openssh/files/openssh-6.9_p1-libseccomp.patch
new file mode 100644
index 00000000..2993c0e3
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.9_p1-libseccomp.patch
@@ -0,0 +1,244 @@
+diff --git a/Makefile.in b/Makefile.in
+index 06be3d5..b1f0931 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -106,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
+ 	sftp-server.o sftp-common.o \
+ 	roaming_common.o roaming_serv.o \
+ 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
+-	sandbox-seccomp-filter.o sandbox-capsicum.o
++	sandbox-seccomp-filter.o sandbox-libseccomp-filter.o sandbox-capsicum.o
+ 
+ MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
+ MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
+diff --git a/configure.ac b/configure.ac
+index 67c4486..ddaf7c0 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2867,11 +2867,22 @@ else
+ fi
+ AC_SUBST([SSH_PRIVSEP_USER])
+ 
++AC_CHECK_DECL([SCMP_ARCH_NATIVE], [have_libseccomp_filter=1], , [
++	#include <sys/types.h>
++	#include <seccomp.h>
++])
++if test "x$have_libseccomp_filter" = "x1" ; then
++	AC_CHECK_LIB([seccomp], [seccomp_init],
++				 [LIBS="$LIBS -lseccomp"],
++				 [have_libseccomp_filter=0])
++fi
++
+ if test "x$have_linux_no_new_privs" = "x1" ; then
+ AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
+ 	#include <sys/types.h>
+ 	#include <linux/seccomp.h>
+ ])
++
+ fi
+ if test "x$have_seccomp_filter" = "x1" ; then
+ AC_MSG_CHECKING([kernel for seccomp_filter support])
+@@ -2898,7 +2909,7 @@ fi
+ # Decide which sandbox style to use
+ sandbox_arg=""
+ AC_ARG_WITH([sandbox],
+-	[  --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)],
++	[  --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, libseccomp_filter, capsicum)],
+ 	[
+ 		if test "x$withval" = "xyes" ; then
+ 			sandbox_arg=""
+@@ -3008,6 +3019,13 @@ elif test "x$sandbox_arg" = "xdarwin" || \
+ 		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
+ 	SANDBOX_STYLE="darwin"
+ 	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
++elif test "x$sandbox_arg" = "xlibseccomp_filter" || \
++     ( test -z "$sandbox_arg" && \
++       test "x$have_libseccomp_filter" = "x1" ) ; then
++	test "x$have_libseccomp_filter" != "x1" && \
++		AC_MSG_ERROR([libseccomp_filter sandbox not supported on $host])
++        SANDBOX_STYLE="libseccomp_filter"
++        AC_DEFINE([SANDBOX_LIBSECCOMP_FILTER], [1], [Sandbox using libseccomp filter])
+ elif test "x$sandbox_arg" = "xseccomp_filter" || \
+      ( test -z "$sandbox_arg" && \
+        test "x$have_seccomp_filter" = "x1" && \
+diff --git a/sandbox-libseccomp-filter.c b/sandbox-libseccomp-filter.c
+new file mode 100644
+index 0000000..d03856b
+--- /dev/null
++++ b/sandbox-libseccomp-filter.c
+@@ -0,0 +1,175 @@
++/*
++ * Copyright (c) 2012 Will Drewry <wad@dataspill.org>
++ *
++ * Permission to use, copy, modify, and distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
++ */
++
++#include "includes.h"
++
++#ifdef SANDBOX_LIBSECCOMP_FILTER
++
++#include <sys/types.h>
++#include <sys/resource.h>
++#include <seccomp.h>
++
++#include <errno.h>
++#include <signal.h>
++#include <stdarg.h>
++#include <stddef.h>  /* for offsetof */
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++
++#include "log.h"
++#include "ssh-sandbox.h"
++#include "xmalloc.h"
++
++struct ssh_sandbox {
++	pid_t child_pid;
++};
++
++struct ssh_sandbox *
++ssh_sandbox_init(struct monitor *monitor)
++{
++	struct ssh_sandbox *box;
++
++	/*
++	 * Strictly, we don't need to maintain any state here but we need
++	 * to return non-NULL to satisfy the API.
++	 */
++	debug3("%s: preparing libseccomp filter sandbox", __func__);
++	box = xcalloc(1, sizeof(*box));
++	box->child_pid = 0;
++
++	return box;
++}
++
++static int
++seccomp_add_secondary_archs(scmp_filter_ctx *c)
++{
++#if defined(__i386__) || defined(__x86_64__)
++	int r;
++	r = seccomp_arch_add(c, SCMP_ARCH_X86);
++	if (r < 0 && r != -EEXIST)
++		return r;
++	r = seccomp_arch_add(c, SCMP_ARCH_X86_64);
++	if (r < 0 && r != -EEXIST)
++		return r;
++	r = seccomp_arch_add(c, SCMP_ARCH_X32);
++	if (r < 0 && r != -EEXIST)
++		return r;
++#endif
++	return 0;
++}
++
++struct scmp_action_def {
++	uint32_t action;
++	int syscall;
++};
++
++static const struct scmp_action_def preauth_insns[] = {
++	{SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open)},
++	{SCMP_ACT_ERRNO(EACCES), SCMP_SYS(stat)},
++	{SCMP_ACT_ALLOW, SCMP_SYS(getpid)},
++	{SCMP_ACT_ALLOW, SCMP_SYS(getpid)},
++	{SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday)},
++	{SCMP_ACT_ALLOW, SCMP_SYS(clock_gettime)},
++#ifdef __NR_time /* not defined on EABI ARM */
++	{SCMP_ACT_ALLOW, SCMP_SYS(time)},
++#endif
++	{SCMP_ACT_ALLOW, SCMP_SYS(read)},
++	{SCMP_ACT_ALLOW, SCMP_SYS(write)},
++	{SCMP_ACT_ALLOW, SCMP_SYS(close)},
++#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
++	{SCMP_ACT_ALLOW, SCMP_SYS(shutdown)},
++#endif
++	{SCMP_ACT_ALLOW, SCMP_SYS(brk)},
++	{SCMP_ACT_ALLOW, SCMP_SYS(poll)},
++#ifdef __NR__newselect
++	{SCMP_ACT_ALLOW, SCMP_SYS(_newselect)},
++#endif
++	{SCMP_ACT_ALLOW, SCMP_SYS(select)},
++	{SCMP_ACT_ALLOW, SCMP_SYS(madvise)},
++#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
++	{SCMP_ACT_ALLOW, SCMP_SYS(mmap2)},
++#endif
++#ifdef __NR_mmap
++	{SCMP_ACT_ALLOW, SCMP_SYS(mmap)},
++#endif
++#ifdef __dietlibc__
++	{SCMP_ACT_ALLOW, SCMP_SYS(mremap)},
++	{SCMP_ACT_ALLOW, SCMP_SYS(exit)},
++#endif
++	{SCMP_ACT_ALLOW, SCMP_SYS(munmap)},
++	{SCMP_ACT_ALLOW, SCMP_SYS(exit_group)},
++#ifdef __NR_rt_sigprocmask
++	{SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask)},
++#else
++	{SCMP_ACT_ALLOW, SCMP_SYS(sigprocmask)},
++#endif
++	{0, 0}
++};
++
++
++void
++ssh_sandbox_child(struct ssh_sandbox *box)
++{
++	scmp_filter_ctx *seccomp;
++	struct rlimit rl_zero;
++	const struct scmp_action_def *insn;
++	int r;
++
++	/* Set rlimits for completeness if possible. */
++	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
++	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
++		fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
++			__func__, strerror(errno));
++	if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
++		fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
++			__func__, strerror(errno));
++	if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
++		fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
++			__func__, strerror(errno));
++
++	seccomp = seccomp_init(SCMP_ACT_KILL);
++	if (!seccomp)
++		fatal("%s:libseccomp activation failed", __func__);
++	if (seccomp_add_secondary_archs(seccomp))
++		fatal("%s:libseccomp secondary arch setup failed", __func__);
++
++	for (insn = preauth_insns; insn->action; insn++) {
++		if (seccomp_rule_add(seccomp, insn->action, insn->syscall, 0) < 0)
++			fatal("%s:libseccomp rule failed", __func__);
++	}
++
++	if ((r = seccomp_load(seccomp)) < 0)
++		fatal("%s:libseccomp unable to load filter %d", __func__, r);
++
++	seccomp_release(seccomp);
++}
++
++void
++ssh_sandbox_parent_finish(struct ssh_sandbox *box)
++{
++	free(box);
++	debug3("%s: finished", __func__);
++}
++
++void
++ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
++{
++	box->child_pid = child_pid;
++}
++
++#endif /* SANDBOX_LIBSECCOMP_FILTER */
diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd
index 28952b4a..cb847805 100644
--- a/net-misc/openssh/files/sshd.confd
+++ b/net-misc/openssh/files/sshd.confd
@@ -1,21 +1,14 @@
 # /etc/conf.d/sshd: config file for /etc/init.d/sshd
 
 # Where is your sshd_config file stored?
-
 SSHD_CONFDIR="/etc/ssh"
 
-
 # Any random options you want to pass to sshd.
 # See the sshd(8) manpage for more info.
-
 SSHD_OPTS=""
 
-
 # Pid file to use (needs to be absolute path).
-
 #SSHD_PIDFILE="/var/run/sshd.pid"
 
-
 # Path to the sshd binary (needs to be absolute path).
-
 #SSHD_BINARY="/usr/sbin/sshd"
diff --git a/net-misc/openssh/files/sshd.rc6.4 b/net-misc/openssh/files/sshd.rc6.4
index 80f1b7ee..1efe53f5 100755
--- a/net-misc/openssh/files/sshd.rc6.4
+++ b/net-misc/openssh/files/sshd.rc6.4
@@ -12,8 +12,8 @@ extra_started_commands="reload"
 : ${SSHD_BINARY:=/usr/sbin/sshd}
 
 depend() {
-	use logger dns
-	if [ "${rc_need+set}" = "set" ] ; then
+	use logger dns # iptables ip6tables
+	if [ -n "${rc_need}" ] ; then
 		: # Do nothing, the user has explicitly set rc_need
 	else
 		local x warn_addr
diff --git a/net-misc/openssh/openssh-6.7_p1-r4.ebuild b/net-misc/openssh/openssh-6.6_p1-r1.ebuild
index b64e7beb..1ee91fdc 100644
--- a/net-misc/openssh/openssh-6.7_p1-r4.ebuild
+++ b/net-misc/openssh/openssh-6.6_p1-r1.ebuild
@@ -1,6 +1,6 @@
-# Copyright 1999-2015 Gentoo Foundation
+# Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.7_p1-r4.ebuild,v 1.1 2015/02/27 22:06:53 chutzpah Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/Attic/openssh-6.6_p1-r1.ebuild,v 1.11 2015/01/31 18:05:34 polynomial-c dead $
 
 EAPI="4"
 inherit eutils user flag-o-matic multilib autotools pam systemd versionator
@@ -9,36 +9,32 @@ inherit eutils user flag-o-matic multilib autotools pam systemd versionator
 # and _p? releases.
 PARCH=${P/_}
 
-HPN_PATCH="${PN}-6.7p1-hpnssh14v5.tar.xz"
-LDAP_PATCH="${PN}-lpk-6.7p1-0.3.14.patch.xz"
-X509_VER="8.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+#HPN_PATCH="${PN}-6.6p1-hpnssh14v4.diff.gz"
+HPN_PATCH="${PN}-6.6p1-hpnssh14v4.diff.xz"
+#LDAP_PATCH="${PN}-lpk-6.5p1-0.3.14.patch.gz"
+X509_VER="7.9" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
 
 DESCRIPTION="Port of OpenBSD's free SSH release"
 HOMEPAGE="http://www.openssh.org/"
 SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	mirror://gentoo/${P}-sctp.patch.xz
-	${HPN_PATCH:+hpn? (
-		mirror://gentoo/${HPN_PATCH}
-		http://dev.gentoo.org/~vapier/dist/${HPN_PATCH}
-		mirror://sourceforge/hpnssh/${HPN_PATCH}
-	)}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+	${HPN_PATCH:+hpn? ( http://dev.gentoo.org/~polynomial-c/${HPN_PATCH} )}
 	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
 	"
+	#${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+	#${HPN_PATCH:+hpn? ( mirror://sourceforge/hpnssh/${HPN_PATCH} )}
 
 LICENSE="BSD GPL-2"
 SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="bindist ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey static X X509"
-REQUIRED_USE="pie? ( !static )"
+KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="bindist ${HPN_PATCH:++}hpn kerberos ldns libedit pam selinux skey static tcpd X X509"
 
-LIB_DEPEND="sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+LIB_DEPEND="selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
 	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
 	libedit? ( dev-libs/libedit[static-libs(+)] )
 	>=dev-libs/openssl-0.9.6d:0[bindist=]
 	dev-libs/openssl[static-libs(+)]
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
+	>=sys-libs/zlib-1.2.3[static-libs(+)]
+	tcpd? ( >=sys-apps/tcp-wrappers-7.6[static-libs(+)] )"
 RDEPEND="
 	!static? (
 		${LIB_DEPEND//\[static-libs(+)]}
@@ -48,8 +44,8 @@ RDEPEND="
 		)
 	)
 	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
+	kerberos? ( virtual/krb5 )"
+	#ldap? ( net-nds/openldap )"
 DEPEND="${RDEPEND}
 	static? (
 		${LIB_DEPEND}
@@ -74,9 +70,9 @@ pkg_setup() {
 	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
 	local fail="
 		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
 		$(use hpn && maybe_fail hpn HPN_PATCH)
 	"
+	#	$(use ldap && maybe_fail ldap LDAP_PATCH)
 	fail=$(echo ${fail})
 	if [[ -n ${fail} ]] ; then
 		eerror "Sorry, but this version does not yet support features"
@@ -104,30 +100,29 @@ src_prepare() {
 	# don't break .ssh/authorized_keys2 for fun
 	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
 
-	epatch "${FILESDIR}"/${PN}-6.7_p1-sshd-gssapi-multihomed.patch #378361
+	epatch "${FILESDIR}"/${PN}-5.9_p1-sshd-gssapi-multihomed.patch #378361
 	if use X509 ; then
 		pushd .. >/dev/null
-		epatch "${FILESDIR}"/${P}-x509-glue.patch
-		epatch "${FILESDIR}"/${P}-sctp-x509-glue.patch
+		epatch "${FILESDIR}"/${PN}-6.6_p1-x509-glue.patch
+		use hpn && epatch "${FILESDIR}"/${PN}-6.6_p1-x509-hpn14v4-glue-p2.patch
 		popd >/dev/null
 		epatch "${WORKDIR}"/${X509_PATCH%.*}
 		epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
-		epatch "${FILESDIR}"/${PN}-6.7_p1-xmalloc-include.patch
 		save_version X509
 	fi
-	if ! use X509 ; then
-		if [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-			epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-			save_version LPK
-		fi
-	else
-		use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP"
-	fi
+	#if ! use X509 ; then
+	#	if [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+	#		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+	#		save_version LPK
+	#	fi
+	#else
+	#	use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP"
+	#fi
 	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	epatch "${WORKDIR}"/${PN}-6.7_p1-sctp.patch
+	epatch "${FILESDIR}"/${PN}-6.6_p1-openssl-ignore-status.patch
 	if [[ -n ${HPN_PATCH} ]] && use hpn; then
-		epatch "${WORKDIR}"/${HPN_PATCH%.*}/*
+		epatch "${WORKDIR}"/${HPN_PATCH%.*}
+		epatch "${FILESDIR}"/${PN}-6.5_p1-hpn-cipher-align.patch #498632
 		save_version HPN
 	fi
 
@@ -174,7 +169,7 @@ static_use_with() {
 }
 
 src_configure() {
-	local myconf=()
+	local myconf
 	addwrite /dev/ptmx
 	addpredict /etc/skey/skeykeys #skey configure code triggers this
 
@@ -182,7 +177,7 @@ src_configure() {
 
 	# Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
 	if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
-		myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
+		myconf="${myconf} --disable-utmp --disable-wtmp --disable-wtmpx"
 		append-ldflags -lutil
 	fi
 
@@ -198,15 +193,14 @@ src_configure() {
 		--with-md5-passwords \
 		--with-ssl-engine \
 		$(static_use_with pam) \
-		$(static_use_with kerberos kerberos5 "${EPREFIX}"/usr) \
-		${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \
+		$(static_use_with kerberos kerberos5 /usr) \
 		$(use_with ldns) \
 		$(use_with libedit) \
-		$(use_with pie) \
-		$(use_with sctp) \
 		$(use_with selinux) \
 		$(use_with skey) \
-		"${myconf[@]}"
+		$(use_with tcpd tcp-wrappers) \
+		${myconf}
+	#	${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \
 }
 
 src_install() {
@@ -251,10 +245,10 @@ src_install() {
 		keepdir /var/empty/dev
 	fi
 
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
+	#if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+	#	insinto /etc/openldap/schema/
+	#	newins openssh-lpk_openldap.schema openssh-lpk.schema
+	#fi
 
 	doman contrib/ssh-copy-id.1
 	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
@@ -316,9 +310,8 @@ pkg_postinst() {
 	# This instruction is from the HPN webpage,
 	# Used for the server logging functionality
 	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
+		echo
 		einfo "For the HPN server logging patch, you must ensure that"
 		einfo "your syslog application also listens at /var/empty/dev/log."
 	fi
-	elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has"
-	elog "      dropped it.  Make sure to update any configs that you might have."
 }
diff --git a/net-misc/openssh/openssh-6.8_p1-r5.ebuild b/net-misc/openssh/openssh-6.8_p1-r5.ebuild
deleted file mode 100644
index cd7a2394..00000000
--- a/net-misc/openssh/openssh-6.8_p1-r5.ebuild
+++ /dev/null
@@ -1,332 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.8_p1-r5.ebuild,v 1.1 2015/04/28 04:39:35 vapier Exp $
-
-EAPI="4"
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-HPN_PATCH="${PN}-6.8p1-r5-hpnssh14v5.tar.xz"
-LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"
-X509_VER="8.3.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	mirror://gentoo/${P}-sctp.patch.xz
-	${HPN_PATCH:+hpn? (
-		mirror://gentoo/${HPN_PATCH}
-		http://dev.gentoo.org/~vapier/dist/${HPN_PATCH}
-		mirror://sourceforge/hpnssh/${HPN_PATCH}
-	)}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? (
-		http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH}
-		mirror://gentoo/${P}-x509-${X509_VER}-glue.patch.xz
-	)}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-# Probably want to drop ssh1/ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey +ssh1 +ssl static X X509"
-REQUIRED_USE="pie? ( !static )
-	ssh1? ( ssl )
-	static? ( !kerberos !pam )
-	X509? ( !ldap ssl )"
-
-LIB_DEPEND="sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	libedit? ( dev-libs/libedit[static-libs(+)] )
-	ssl? (
-		>=dev-libs/openssl-0.9.6d:0[bindist=]
-		dev-libs/openssl[static-libs(+)]
-	)
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
-	!static? (
-		${LIB_DEPEND//\[static-libs(+)]}
-		ldns? (
-			!bindist? ( net-libs/ldns[ecdsa,ssl] )
-			bindist? ( net-libs/ldns[-ecdsa,ssl] )
-		)
-	)
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? (
-		${LIB_DEPEND}
-		ldns? (
-			!bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] )
-			bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] )
-		)
-	)
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		eerror "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		eerror "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-		die "USE=tcpd no longer works"
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	epatch "${FILESDIR}"/${PN}-6.8_p1-sshd-gssapi-multihomed.patch #378361
-	if use X509 ; then
-		pushd .. >/dev/null
-		epatch "${WORKDIR}"/${P}-x509-${X509_VER}-glue.patch
-		epatch "${FILESDIR}"/${P}-sctp-x509-glue.patch
-		popd >/dev/null
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
-		save_version X509
-	fi
-	if use ldap ; then
-		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-		save_version LPK
-	fi
-	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	epatch "${FILESDIR}"/${PN}-6.8_p1-ssh-keygen-no-ssh1.patch #544078
-	epatch "${FILESDIR}"/${PN}-6.8_p1-teraterm.patch #547944
-	# The X509 patchset fixes this independently.
-	use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
-	epatch "${WORKDIR}"/${P}-sctp.patch
-	if use hpn ; then
-		# The teraterm patch pulled in an upstream update.
-		pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null
-		epatch "${FILESDIR}"/${PN}-6.8_p1-teraterm-hpn-glue.patch
-		popd >/dev/null
-		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-	addpredict /etc/skey/skeykeys # skey configure code triggers this
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"/var/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the ldap patch conditionally, so can't pass --without-ldap # ' # <-- Syntax highlight fail
-		# unconditionally else we get unknown flag warnings.
-		$(use ldap && use_with ldap)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with sctp)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssh1)
-		# The X509 patch deletes this option entirely.
-		$(use X509 || use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-	)
-
-	# Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
-	if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
-		myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
-		append-ldflags -lutil
-	fi
-
-	econf "${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-	keepdir /var/empty
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	# This instruction is from the HPN webpage,
-	# Used for the server logging functionality
-	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
-		keepdir /var/empty/dev
-	fi
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t tests skipped failed passed shell
-	tests="interop-tests compat-tests"
-	skipped=""
-	shell=$(egetshell ${UID})
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite"
-		elog "requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped="${skipped} tests"
-	else
-		tests="${tests} tests"
-	fi
-	# It will also attempt to write to the homedir .ssh
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in ${tests} ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed="${passed}${t} " \
-			|| failed="${failed}${t} "
-	done
-	einfo "Passed tests: ${passed}"
-	ewarn "Skipped tests: ${skipped}"
-	if [[ -n ${failed} ]] ; then
-		ewarn "Failed tests: ${failed}"
-		die "Some tests failed: ${failed}"
-	else
-		einfo "Failed tests: ${failed}"
-		return 0
-	fi
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	ewarn "Remember to merge your config files in /etc/ssh/ and then"
-	ewarn "reload sshd: '/etc/init.d/sshd reload'."
-	# This instruction is from the HPN webpage,
-	# Used for the server logging functionality
-	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
-		einfo "For the HPN server logging patch, you must ensure that"
-		einfo "your syslog application also listens at /var/empty/dev/log."
-	fi
-	elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has"
-	elog "      dropped it.  Make sure to update any configs that you might have."
-}
diff --git a/net-misc/openssh/openssh-6.9_p1-r1.ebuild b/net-misc/openssh/openssh-6.9_p1-r1.ebuild
deleted file mode 100644
index 0c13e497..00000000
--- a/net-misc/openssh/openssh-6.9_p1-r1.ebuild
+++ /dev/null
@@ -1,323 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.9_p1-r1.ebuild,v 1.1 2015/07/01 22:53:26 chutzpah Exp $
-
-EAPI="4"
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-HPN_PATCH="${PN}-6.9p1-hpnssh14v5.tar.xz"
-LDAP_PATCH="${PN}-lpk-6.8p1-0.3.14.patch.xz"
-X509_VER="8.4" X509_PATCH="${PN}-6.9p1+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	mirror://gentoo/${PN}-6.8_p1-sctp.patch.xz
-	${HPN_PATCH:+hpn? (
-		mirror://gentoo/${HPN_PATCH}
-		http://dev.gentoo.org/~polynomial-c/${HPN_PATCH}
-		mirror://sourceforge/hpnssh/${HPN_PATCH}
-	)}
-	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
-	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static X X509"
-REQUIRED_USE="pie? ( !static )
-	ssh1? ( ssl )
-	static? ( !kerberos !pam )
-	X509? ( !ldap ssl )"
-
-LIB_DEPEND="sctp? ( net-misc/lksctp-tools[static-libs(+)] )
-	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
-	libedit? ( dev-libs/libedit[static-libs(+)] )
-	ssl? (
-		>=dev-libs/openssl-0.9.6d:0[bindist=]
-		dev-libs/openssl[static-libs(+)]
-	)
-	>=sys-libs/zlib-1.2.3[static-libs(+)]"
-RDEPEND="
-	!static? (
-		${LIB_DEPEND//\[static-libs(+)]}
-		ldns? (
-			!bindist? ( net-libs/ldns[ecdsa,ssl] )
-			bindist? ( net-libs/ldns[-ecdsa,ssl] )
-		)
-	)
-	pam? ( virtual/pam )
-	kerberos? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
-	static? (
-		${LIB_DEPEND}
-		ldns? (
-			!bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] )
-			bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] )
-		)
-	)
-	virtual/pkgconfig
-	virtual/os-headers
-	sys-devel/autoconf"
-RDEPEND="${RDEPEND}
-	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
-	X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
-	# this sucks, but i'd rather have people unable to `emerge -u openssh`
-	# than not be able to log in to their server any more
-	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
-	local fail="
-		$(use X509 && maybe_fail X509 X509_PATCH)
-		$(use ldap && maybe_fail ldap LDAP_PATCH)
-		$(use hpn && maybe_fail hpn HPN_PATCH)
-	"
-	fail=$(echo ${fail})
-	if [[ -n ${fail} ]] ; then
-		eerror "Sorry, but this version does not yet support features"
-		eerror "that you requested:	 ${fail}"
-		eerror "Please mask ${PF} for now and check back later:"
-		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
-		die "booooo"
-	fi
-
-	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
-		eerror "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		eerror "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
-		die "USE=tcpd no longer works"
-	fi
-}
-
-save_version() {
-	# version.h patch conflict avoidence
-	mv version.h version.h.$1
-	cp -f version.h.pristine version.h
-}
-
-src_prepare() {
-	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
-		pathnames.h || die
-	# keep this as we need it to avoid the conflict between LPK and HPN changing
-	# this file.
-	cp version.h version.h.pristine
-
-	# don't break .ssh/authorized_keys2 for fun
-	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
-	if use X509 ; then
-		pushd .. >/dev/null
-		#epatch "${WORKDIR}"/${PN}-6.8_p1-x509-${X509_VER}-glue.patch
-		epatch "${FILESDIR}"/${PN}-6.8_p1-sctp-x509-glue.patch
-		popd >/dev/null
-		epatch "${WORKDIR}"/${X509_PATCH%.*}
-		epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
-		epatch "${FILESDIR}"/${PN}-6.9_p1-x509-warnings.patch
-		save_version X509
-	fi
-	if use ldap ; then
-		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
-		save_version LPK
-	fi
-	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
-	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
-	# The X509 patchset fixes this independently.
-	use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
-	epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch
-	if use hpn ; then
-		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
-			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
-			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
-		save_version HPN
-	fi
-
-	tc-export PKG_CONFIG
-	local sed_args=(
-		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
-		# Disable PATH reset, trust what portage gives us #254615
-		-e 's:^PATH=/:#PATH=/:'
-		# Disable fortify flags ... our gcc does this for us
-		-e 's:-D_FORTIFY_SOURCE=2::'
-	)
-	# The -ftrapv flag ICEs on hppa #505182
-	use hppa && sed_args+=(
-		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
-	)
-	sed -i "${sed_args[@]}" configure{.ac,} || die
-
-	epatch_user #473004
-
-	# Now we can build a sane merged version.h
-	(
-		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
-		macros=()
-		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
-		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
-	) > version.h
-
-	eautoreconf
-}
-
-src_configure() {
-	addwrite /dev/ptmx
-	addpredict /etc/skey/skeykeys # skey configure code triggers this
-
-	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
-	use static && append-ldflags -static
-
-	local myconf=(
-		--with-ldflags="${LDFLAGS}"
-		--disable-strip
-		--with-pid-dir="${EPREFIX}"/var/run
-		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX}"/var/empty
-		--with-privsep-user=sshd
-		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
-		# We apply the ldap patch conditionally, so can't pass --without-ldap # ' # <-- Syntax highlight fail
-		# unconditionally else we get unknown flag warnings.
-		$(use ldap && use_with ldap)
-		$(use_with ldns)
-		$(use_with libedit)
-		$(use_with pam)
-		$(use_with pie)
-		$(use_with sctp)
-		$(use_with selinux)
-		$(use_with skey)
-		$(use_with ssh1)
-		# The X509 patch deletes this option entirely.
-		$(use X509 || use_with ssl openssl)
-		$(use_with ssl md5-passwords)
-		$(use_with ssl ssl-engine)
-	)
-
-	# Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
-	if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
-		myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
-		append-ldflags -lutil
-	fi
-
-	econf "${myconf[@]}"
-}
-
-src_install() {
-	emake install-nokeys DESTDIR="${D}"
-	fperms 600 /etc/ssh/sshd_config
-	dobin contrib/ssh-copy-id
-	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
-	newconfd "${FILESDIR}"/sshd.confd sshd
-	keepdir /var/empty
-
-	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
-	if use pam ; then
-		sed -i \
-			-e "/^#UsePAM /s:.*:UsePAM yes:" \
-			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED}"/etc/ssh/sshd_config || die
-	fi
-
-	# Gentoo tweaks to default config files
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
-	# Allow client to pass locale environment variables #367017
-	AcceptEnv LANG LC_*
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
-	# Send locale environment variables #367017
-	SendEnv LANG LC_*
-	EOF
-
-	# This instruction is from the HPN webpage,
-	# Used for the server logging functionality
-	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
-		keepdir /var/empty/dev
-	fi
-
-	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
-		insinto /etc/openldap/schema/
-		newins openssh-lpk_openldap.schema openssh-lpk.schema
-	fi
-
-	doman contrib/ssh-copy-id.1
-	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
-
-	diropts -m 0700
-	dodir /etc/skel/.ssh
-
-	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
-	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
-	local t tests skipped failed passed shell
-	tests="interop-tests compat-tests"
-	skipped=""
-	shell=$(egetshell ${UID})
-	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
-		elog "Running the full OpenSSH testsuite"
-		elog "requires a usable shell for the 'portage'"
-		elog "user, so we will run a subset only."
-		skipped="${skipped} tests"
-	else
-		tests="${tests} tests"
-	fi
-	# It will also attempt to write to the homedir .ssh
-	local sshhome=${T}/homedir
-	mkdir -p "${sshhome}"/.ssh
-	for t in ${tests} ; do
-		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" \
-		emake -k -j1 ${t} </dev/null \
-			&& passed="${passed}${t} " \
-			|| failed="${failed}${t} "
-	done
-	einfo "Passed tests: ${passed}"
-	ewarn "Skipped tests: ${skipped}"
-	if [[ -n ${failed} ]] ; then
-		ewarn "Failed tests: ${failed}"
-		die "Some tests failed: ${failed}"
-	else
-		einfo "Failed tests: ${failed}"
-		return 0
-	fi
-}
-
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
-		elog "Starting with openssh-5.8p1, the server will default to a newer key"
-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-	fi
-	ewarn "Remember to merge your config files in /etc/ssh/ and then"
-	ewarn "reload sshd: '/etc/init.d/sshd reload'."
-	# This instruction is from the HPN webpage,
-	# Used for the server logging functionality
-	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
-		einfo "For the HPN server logging patch, you must ensure that"
-		einfo "your syslog application also listens at /var/empty/dev/log."
-	fi
-	elog "Note: openssh-6.7 versions no longer support USE=tcpd as upstream has"
-	elog "      dropped it.  Make sure to update any configs that you might have."
-}
diff --git a/net-misc/openssh/openssh-6.9_p1-r2.ebuild b/net-misc/openssh/openssh-6.9_p1-r2.ebuild
index dadf6e0a..1df05cde 100644
--- a/net-misc/openssh/openssh-6.9_p1-r2.ebuild
+++ b/net-misc/openssh/openssh-6.9_p1-r2.ebuild
@@ -30,7 +30,7 @@ LICENSE="BSD GPL-2"
 SLOT="0"
 KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
 # Probably want to drop ssl defaulting to on in a future version.
-IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey ssh1 +ssl static X X509"
+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos ldap ldns libedit -libseccomp pam +pie sctp selinux skey ssh1 +ssl static X X509 abi_x86_x32"
 REQUIRED_USE="ldns? ( ssl )
 	pie? ( !static )
 	ssh1? ( ssl )
@@ -44,6 +44,7 @@ LIB_DEPEND="
 		bindist? ( net-libs/ldns[-ecdsa,ssl] )
 	)
 	libedit? ( dev-libs/libedit[static-libs(+)] )
+	libseccomp? ( sys-libs/libseccomp )
 	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
 	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
 	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
@@ -112,6 +113,9 @@ src_prepare() {
 	# don't break .ssh/authorized_keys2 for fun
 	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
 
+	if use libseccomp; then
+		epatch "${FILESDIR}"/${PN}-6.9_p1-libseccomp.patch
+	fi
 	if use X509 ; then
 		pushd .. >/dev/null
 		#epatch "${WORKDIR}"/${PN}-6.8_p1-x509-${X509_VER}-glue.patch
@@ -130,7 +134,7 @@ src_prepare() {
 	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
 	# The X509 patchset fixes this independently.
 	use X509 || epatch "${FILESDIR}"/${PN}-6.8_p1-ssl-engine-configure.patch
-	epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch
+	#epatch "${WORKDIR}"/${PN}-6.8_p1-sctp.patch
 	if use hpn ; then
 		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
 			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
@@ -198,7 +202,17 @@ src_configure() {
 		$(use X509 || use_with ssl openssl)
 		$(use_with ssl md5-passwords)
 		$(use_with ssl ssl-engine)
+		$(use_with libseccomp sandbox libseccomp_filter)
 	)
+	if use abi_x86_x32 && ! use libseccomp; then
+		ewarn "The default 'seccomp' sandbox does not work correctly on x32, and so - without"
+		ewarn "experimental libseccomp support at least - it is required that this build"
+		ewarn "fallback to the basic 'rlimit' sandbox, where a child process is prevented from"
+		ewarn "forking or opening new network connections by having setrlimit() called to reset"
+		ewarn "its hard-limit of file descriptors and processes to zero.  As such, this is a"
+		ewarn "very basic fallback choice where no better alternative is available."
+		myconf+=( --with-sandbox=rlimit )
+	fi
 
 	# Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
 	if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then