Ports: Add OpenSSH port

9 files changed, 1387 insertions, 0 deletions

diff --git a/Ports/openssh/patches/config.sub.patch b/Ports/openssh/patches/config.sub.patch
new file mode 100644
index 0000000000..999839c90a
--- /dev/null
+++ b/Ports/openssh/patches/config.sub.patch
@@ -0,0 +1,13 @@
+cd1bd18834e519c4787a4e3672fa0afdf1b22da7 Add Serenity to config.sub
+diff --git a/config.sub b/config.sub
+index 973a2980..cf386e5c 100755
+--- a/config.sub
++++ b/config.sub
+@@ -1339,6 +1339,7 @@ case $os in
+ 	# Each alternative MUST end in a * to match a version number.
+ 	# sysv* is not here because it comes later, after sysvr4.
+ 	gnu* | bsd* | mach* | minix* | genix* | ultrix* | irix* \
++		   | serenity* \
+ 	     | *vms* | esix* | aix* | cnk* | sunos | sunos[34]*\
+ 	     | hpux* | unos* | osf* | luna* | dgux* | auroraux* | solaris* \
+ 	     | sym* | kopensolaris* | plan9* \
diff --git a/Ports/openssh/patches/limits.patch b/Ports/openssh/patches/limits.patch
new file mode 100644
index 0000000000..54413ad584
--- /dev/null
+++ b/Ports/openssh/patches/limits.patch
@@ -0,0 +1,300 @@
+90d6ca5fd87f81c62f3cdde73d4366cfccbab846 Add serenity_limits.h as a slight replacement of limits.h
+diff --git a/auth.c b/auth.c
+index 086b8ebb..494bb824 100644
+--- a/auth.c
++++ b/auth.c
+@@ -77,6 +77,10 @@
+ #include "compat.h"
+ #include "channels.h"
+ 
++#ifdef __serenity__
++#include "serenity_limits.h"
++#endif
++
+ /* import */
+ extern ServerOptions options;
+ extern struct include_list includes;
+diff --git a/clientloop.c b/clientloop.c
+index 3ff4ea89..80fd49fa 100644
+--- a/clientloop.c
++++ b/clientloop.c
+@@ -112,6 +112,10 @@
+ #include "ssherr.h"
+ #include "hostfile.h"
+ 
++#ifdef __serenity__
++#include "serenity_limits.h"
++#endif
++
+ /* import options */
+ extern Options options;
+ 
+diff --git a/misc.c b/misc.c
+index 67464ef2..2442c744 100644
+--- a/misc.c
++++ b/misc.c
+@@ -77,6 +77,10 @@
+ #include "ssherr.h"
+ #include "platform.h"
+ 
++#ifdef __serenity__
++#include "serenity_limits.h"
++#endif
++
+ /* remove newline at end of string */
+ char *
+ chop(char *s)
+diff --git a/moduli.c b/moduli.c
+index 8dd36b1c..afee5a25 100644
+--- a/moduli.c
++++ b/moduli.c
+@@ -62,6 +62,10 @@
+ 
+ #include "openbsd-compat/openssl-compat.h"
+ 
++#ifdef __serenity__
++#include "serenity_limits.h"
++#endif
++
+ /*
+  * File output defines
+  */
+diff --git a/openbsd-compat/bsd-closefrom.c b/openbsd-compat/bsd-closefrom.c
+index 8fadca2d..d645c4c7 100644
+--- a/openbsd-compat/bsd-closefrom.c
++++ b/openbsd-compat/bsd-closefrom.c
+@@ -50,6 +50,10 @@
+ # include <libproc.h>
+ #endif
+ 
++#ifdef __serenity__
++#include "serenity_limits.h"
++#endif
++
+ #ifndef OPEN_MAX
+ # define OPEN_MAX	256
+ #endif
+diff --git a/openbsd-compat/glob.c b/openbsd-compat/glob.c
+index e8915178..0d3ee0b2 100644
+--- a/openbsd-compat/glob.c
++++ b/openbsd-compat/glob.c
+@@ -76,6 +76,10 @@
+ #include <string.h>
+ #include <unistd.h>
+ 
++#ifdef __serenity__
++#include "serenity_limits.h"
++#endif
++
+ #if !defined(HAVE_GLOB) || !defined(GLOB_HAS_ALTDIRFUNC) || \
+     !defined(GLOB_HAS_GL_MATCHC) || !defined(GLOB_HAS_GL_STATV) || \
+     !defined(HAVE_DECL_GLOB_NOMATCH) || HAVE_DECL_GLOB_NOMATCH == 0 || \
+diff --git a/readconf.c b/readconf.c
+index 034ad492..8ecaf697 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -70,6 +70,10 @@
+ #include "myproposal.h"
+ #include "digest.h"
+ 
++#ifdef __serenity__
++#include "serenity_limits.h"
++#endif
++
+ /* Format of the configuration file:
+ 
+    # Configuration data is parsed as follows:
+diff --git a/scp.c b/scp.c
+index b4492a06..155029aa 100644
+--- a/scp.c
++++ b/scp.c
+@@ -123,6 +123,10 @@
+ #include "progressmeter.h"
+ #include "utf8.h"
+ 
++#ifdef __serenity__
++#include "serenity_limits.h"
++#endif
++
+ extern char *__progname;
+ 
+ #define COPY_BUFLEN	16384
+diff --git a/serenity_limits.h b/serenity_limits.h
+new file mode 100644
+index 00000000..8ee56cc2
+--- /dev/null
++++ b/serenity_limits.h
+@@ -0,0 +1,38 @@
++/*
++ * Copyright (c) 2020, The SerenityOS developers.
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright notice, this
++ *    list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright notice,
++ *    this list of conditions and the following disclaimer in the documentation
++ *    and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
++ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
++ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++/*
++ * This header exists because limits.h just straight up does not work.
++ * OpenSSH requires PATH_MAX and SSIZE_MAX and while all the files that require it do include limits.h, it just does not work.
++ * For example:
++ * auth.c:430:30: error: 'PATH_MAX' undeclared (first use in this function)
++ *   430 |  char *file, uidstr[32], ret[PATH_MAX];
++ *       |
++ * But, defining them here does work? No idea why any of this happens.
++ */
++
++#define PATH_MAX 4096
++#define SSIZE_MAX 2147483647
+diff --git a/servconf.c b/servconf.c
+index 02b68a9a..dddf1b3c 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -72,6 +72,10 @@
+ #include "myproposal.h"
+ #include "digest.h"
+ 
++#ifdef __serenity__
++#include "serenity_limits.h"
++#endif
++
+ static void add_listen_addr(ServerOptions *, const char *,
+     const char *, int);
+ static void add_one_listen_addr(ServerOptions *, const char *,
+diff --git a/session.c b/session.c
+index 18cdfa8c..ca1f0c8b 100644
+--- a/session.c
++++ b/session.c
+@@ -105,6 +105,10 @@
+ #include <selinux/selinux.h>
+ #endif
+ 
++#ifdef __serenity__
++#include "serenity_limits.h"
++#endif
++
+ #define IS_INTERNAL_SFTP(c) \
+ 	(!strncmp(c, INTERNAL_SFTP_NAME, sizeof(INTERNAL_SFTP_NAME) - 1) && \
+ 	 (c[sizeof(INTERNAL_SFTP_NAME) - 1] == '\0' || \
+diff --git a/sftp-realpath.c b/sftp-realpath.c
+index 9ac40181..d3c71ecd 100644
+--- a/sftp-realpath.c
++++ b/sftp-realpath.c
+@@ -44,6 +44,10 @@
+ # define SYMLOOP_MAX 32
+ #endif
+ 
++#ifdef __serenity__
++#include "serenity_limits.h"
++#endif
++
+ /* XXX rewrite sftp-server to use POSIX realpath and remove this hack */
+ 
+ char *sftp_realpath(const char *path, char *resolved);
+diff --git a/sftp-server.c b/sftp-server.c
+index 359204fa..36c2f263 100644
+--- a/sftp-server.c
++++ b/sftp-server.c
+@@ -51,6 +51,10 @@
+ #include "sftp.h"
+ #include "sftp-common.h"
+ 
++#ifdef __serenity__
++#include "serenity_limits.h"
++#endif
++
+ char *sftp_realpath(const char *, char *); /* sftp-realpath.c */
+ 
+ /* Our verbosity */
+diff --git a/sftp.c b/sftp.c
+index 9ce7055a..a5cb9cee 100644
+--- a/sftp.c
++++ b/sftp.c
+@@ -70,6 +70,10 @@ typedef void EditLine;
+ #include "sftp-common.h"
+ #include "sftp-client.h"
+ 
++#ifdef __serenity__
++#include "serenity_limits.h"
++#endif
++
+ #define DEFAULT_COPY_BUFLEN	32768	/* Size of buffer for up/download */
+ #define DEFAULT_NUM_REQUESTS	64	/* # concurrent outstanding requests */
+ 
+diff --git a/ssh-add.c b/ssh-add.c
+index e218270b..ad2fbf44 100644
+--- a/ssh-add.c
++++ b/ssh-add.c
+@@ -68,6 +68,10 @@
+ #include "digest.h"
+ #include "ssh-sk.h"
+ 
++#ifdef __serenity__
++#include "serenity_limits.h"
++#endif
++
+ /* argv0 */
+ extern char *__progname;
+ 
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 811dc115..22d0fbe5 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -92,6 +92,10 @@
+ #include "ssh-pkcs11.h"
+ #include "sk-api.h"
+ 
++#ifdef __serenity__
++#include "serenity_limits.h"
++#endif
++
+ #ifndef DEFAULT_PROVIDER_WHITELIST
+ # define DEFAULT_PROVIDER_WHITELIST "/usr/lib*/*,/usr/local/lib*/*"
+ #endif
+diff --git a/ssh-keygen.c b/ssh-keygen.c
+index 85e8a9e2..129d3276 100644
+--- a/ssh-keygen.c
++++ b/ssh-keygen.c
+@@ -66,6 +66,10 @@
+ #include "ssh-sk.h"
+ #include "sk-api.h" /* XXX for SSH_SK_USER_PRESENCE_REQD; remove */
+ 
++#ifdef __serenity__
++#include "serenity_limits.h"
++#endif
++
+ #ifdef WITH_OPENSSL
+ # define DEFAULT_KEY_TYPE_NAME "rsa"
+ #else
+diff --git a/ssh.c b/ssh.c
+index 98b6ce78..5e559a5c 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -113,6 +113,10 @@
+ #include "ssh-pkcs11.h"
+ #endif
+ 
++#ifdef __serenity__
++#include "serenity_limits.h"
++#endif
++
+ extern char *__progname;
+ 
+ /* Saves a copy of argv for setproctitle emulation */
diff --git a/Ports/openssh/patches/missing_functionality.patch b/Ports/openssh/patches/missing_functionality.patch
new file mode 100644
index 0000000000..e4ba95fe6d
--- /dev/null
+++ b/Ports/openssh/patches/missing_functionality.patch
@@ -0,0 +1,641 @@
+08ba07f3ef1eb9cc40204cda0af3886ee071fd47 Ifdef out unimplemented functionality
+diff --git a/atomicio.c b/atomicio.c
+index e00c9f0d..e51a9999 100644
+--- a/atomicio.c
++++ b/atomicio.c
+@@ -120,7 +120,7 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd,
+ 	memcpy(iov, _iov, (size_t)iovcnt * sizeof(*_iov));
+ 
+ 	pfd.fd = fd;
+-#ifndef BROKEN_READV_COMPARISON
++#if !defined(BROKEN_READV_COMPARISON) && !defined(__serenity__)
+ 	pfd.events = f == readv ? POLLIN : POLLOUT;
+ #else
+ 	pfd.events = POLLIN|POLLOUT;
+diff --git a/defines.h b/defines.h
+index b8ea88b2..1089ee18 100644
+--- a/defines.h
++++ b/defines.h
+@@ -55,8 +55,13 @@ enum
+ /*
+  * Definitions for IP type of service (ip_tos)
+  */
++#ifndef __serenity__
+ #include <netinet/in_systm.h>
++#endif
+ #include <netinet/ip.h>
++#ifdef __serenity__
++#include <arpa/inet.h>
++#endif
+ #ifndef IPTOS_LOWDELAY
+ # define IPTOS_LOWDELAY          0x10
+ # define IPTOS_THROUGHPUT        0x08
+diff --git a/dns.c b/dns.c
+index e4f9bf83..779886fa 100644
+--- a/dns.c
++++ b/dns.c
+@@ -25,6 +25,8 @@
+  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  */
+ 
++#ifndef __serenity__
++
+ #include "includes.h"
+ 
+ #include <sys/types.h>
+@@ -353,3 +355,5 @@ export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic)
+ 
+ 	return success;
+ }
++
++#endif
+diff --git a/dns.h b/dns.h
+index 91f3c632..0de0a81b 100644
+--- a/dns.h
++++ b/dns.h
+@@ -25,6 +25,8 @@
+  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  */
+ 
++#ifndef __serenity__
++
+ #ifndef DNS_H
+ #define DNS_H
+ 
+@@ -56,3 +58,5 @@ int	verify_host_key_dns(const char *, struct sockaddr *,
+ int	export_dns_rr(const char *, struct sshkey *, FILE *, int);
+ 
+ #endif /* DNS_H */
++
++#endif
+diff --git a/hostfile.c b/hostfile.c
+index a4a35597..699d7f2c 100644
+--- a/hostfile.c
++++ b/hostfile.c
+@@ -44,7 +44,9 @@
+ #include <netinet/in.h>
+ 
+ #include <errno.h>
++#ifndef __serenity__
+ #include <resolv.h>
++#endif
+ #include <stdarg.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+diff --git a/includes.h b/includes.h
+index 0fd71792..405d3aa2 100644
+--- a/includes.h
++++ b/includes.h
+@@ -110,7 +110,9 @@
+ #endif
+ 
+ #include <netinet/in.h>
++#ifndef __serenity__
+ #include <netinet/in_systm.h> /* For typedefs */
++#endif
+ #ifdef HAVE_RPC_TYPES_H
+ # include <rpc/types.h> /* For INADDR_LOOPBACK */
+ #endif
+diff --git a/loginrec.c b/loginrec.c
+index e5289deb..c670f0be 100644
+--- a/loginrec.c
++++ b/loginrec.c
+@@ -460,7 +460,7 @@ login_write(struct logininfo *li)
+ #ifdef USE_WTMP
+ 	wtmp_write_entry(li);
+ #endif
+-#ifdef USE_UTMPX
++#ifndef __serenity__
+ 	utmpx_write_entry(li);
+ #endif
+ #ifdef USE_WTMPX
+@@ -493,7 +493,7 @@ login_utmp_only(struct logininfo *li)
+ # ifdef USE_WTMP
+ 	wtmp_write_entry(li);
+ # endif
+-# ifdef USE_UTMPX
++# ifndef __serenity__
+ 	utmpx_write_entry(li);
+ # endif
+ # ifdef USE_WTMPX
+@@ -724,7 +724,7 @@ construct_utmp(struct logininfo *li,
+  ** variations.
+  **/
+ 
+-#if defined(USE_UTMPX) || defined (USE_WTMPX)
++#if !defined(__serenity__)
+ /* build the utmpx structure */
+ void
+ set_utmpx_time(struct logininfo *li, struct utmpx *utx)
+@@ -983,7 +983,7 @@ utmp_write_entry(struct logininfo *li)
+  **/
+ 
+ /* not much point if we don't want utmpx entries */
+-#ifdef USE_UTMPX
++#ifndef __serenity__
+ 
+ /* if we have the wherewithall, use pututxline etc. */
+ # if !defined(DISABLE_PUTUTXLINE) && defined(HAVE_SETUTXENT) && \
+diff --git a/misc.c b/misc.c
+index 554ceb0b..67464ef2 100644
+--- a/misc.c
++++ b/misc.c
+@@ -50,7 +50,9 @@
+ #include <unistd.h>
+ 
+ #include <netinet/in.h>
++#ifndef __serenity__
+ #include <netinet/in_systm.h>
++#endif
+ #include <netinet/ip.h>
+ #include <netinet/tcp.h>
+ #include <arpa/inet.h>
+diff --git a/monitor.c b/monitor.c
+index b6e855d5..bde8f383 100644
+--- a/monitor.c
++++ b/monitor.c
+@@ -1752,8 +1752,10 @@ monitor_openfds(struct monitor *mon, int do_logfds)
+ 	int on = 1;
+ #endif
+ 
++#ifndef __serenity__
+ 	if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1)
+ 		fatal("%s: socketpair: %s", __func__, strerror(errno));
++#endif
+ #ifdef SO_ZEROIZE
+ 	if (setsockopt(pair[0], SOL_SOCKET, SO_ZEROIZE, &on, sizeof(on)) == -1)
+ 		error("setsockopt SO_ZEROIZE(0): %.100s", strerror(errno));
+diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c
+index 059b6d3b..2a248c81 100644
+--- a/openbsd-compat/bsd-misc.c
++++ b/openbsd-compat/bsd-misc.c
+@@ -362,7 +362,7 @@ pledge(const char *promises, const char *paths[])
+ }
+ #endif
+ 
+-#ifndef HAVE_MBTOWC
++#if !defined(HAVE_MBTOWC) && !defined(__serenity__)
+ /* a mbtowc that only supports ASCII */
+ int
+ mbtowc(wchar_t *pwc, const char *s, size_t n)
+diff --git a/openbsd-compat/getrrsetbyname-ldns.c b/openbsd-compat/getrrsetbyname-ldns.c
+index 4647b623..d684f6fb 100644
+--- a/openbsd-compat/getrrsetbyname-ldns.c
++++ b/openbsd-compat/getrrsetbyname-ldns.c
+@@ -43,6 +43,8 @@
+  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
++#ifndef __serenity__
++
+ #include "includes.h"
+ 
+ #if !defined (HAVE_GETRRSETBYNAME) && defined (HAVE_LDNS)
+@@ -282,3 +284,5 @@ freerrset(struct rrsetinfo *rrset)
+ 
+ 
+ #endif /* !defined (HAVE_GETRRSETBYNAME) && defined (HAVE_LDNS) */
++
++#endif
+diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
+index dc6fe053..9e7fefd0 100644
+--- a/openbsd-compat/getrrsetbyname.c
++++ b/openbsd-compat/getrrsetbyname.c
+@@ -45,6 +45,8 @@
+ 
+ /* OPENBSD ORIGINAL: lib/libc/net/getrrsetbyname.c */
+ 
++#ifndef __serenity__
++
+ #include "includes.h"
+ 
+ #if !defined (HAVE_GETRRSETBYNAME) && !defined (HAVE_LDNS)
+@@ -608,3 +610,5 @@ count_dns_rr(struct dns_rr *p, u_int16_t class, u_int16_t type)
+ }
+ 
+ #endif /*  !defined (HAVE_GETRRSETBYNAME) && !defined (HAVE_LDNS) */
++
++#endif
+diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
+index 1283f550..0b33705e 100644
+--- a/openbsd-compat/getrrsetbyname.h
++++ b/openbsd-compat/getrrsetbyname.h
+@@ -45,6 +45,8 @@
+  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
++#ifndef __serenity__
++
+ #ifndef _GETRRSETBYNAME_H
+ #define _GETRRSETBYNAME_H
+ 
+@@ -108,3 +110,5 @@ void		freerrset(struct rrsetinfo *);
+ #endif /* !defined(HAVE_GETRRSETBYNAME) */
+ 
+ #endif /* _GETRRSETBYNAME_H */
++
++#endif
+diff --git a/openbsd-compat/mktemp.c b/openbsd-compat/mktemp.c
+index 4eb52f42..50e1bb12 100644
+--- a/openbsd-compat/mktemp.c
++++ b/openbsd-compat/mktemp.c
+@@ -34,7 +34,7 @@
+ #include <ctype.h>
+ #include <unistd.h>
+ 
+-#if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP)
++#if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP) && !defined(__serenity__)
+ 
+ #define MKTEMP_NAME	0
+ #define MKTEMP_FILE	1
+diff --git a/readconf.c b/readconf.c
+index 2afcbaec..034ad492 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -21,7 +21,9 @@
+ #include <sys/un.h>
+ 
+ #include <netinet/in.h>
++#ifndef __serenity__
+ #include <netinet/in_systm.h>
++#endif
+ #include <netinet/ip.h>
+ #include <arpa/inet.h>
+ 
+@@ -1064,11 +1066,12 @@ parse_time:
+ 	case oCheckHostIP:
+ 		intptr = &options->check_host_ip;
+ 		goto parse_flag;
+-
++#ifndef __serenity__
+ 	case oVerifyHostKeyDNS:
+ 		intptr = &options->verify_host_key_dns;
+ 		multistate_ptr = multistate_yesnoask;
+ 		goto parse_multistate;
++	#endif
+ 
+ 	case oStrictHostKeyChecking:
+ 		intptr = &options->strict_host_key_checking;
+diff --git a/regress/netcat.c b/regress/netcat.c
+index fe94dd90..57c52d3b 100644
+--- a/regress/netcat.c
++++ b/regress/netcat.c
+@@ -1369,7 +1369,9 @@ usage(int ret)
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#ifndef __serenity__
+ #include <resolv.h>
++#endif
+ 
+ #define SOCKS_PORT	"1080"
+ #define HTTP_PROXY_PORT	"3128"
+diff --git a/sandbox-pledge.c b/sandbox-pledge.c
+index d28fc272..a244241c 100644
+--- a/sandbox-pledge.c
++++ b/sandbox-pledge.c
+@@ -21,7 +21,9 @@
+ 
+ #include <sys/types.h>
+ #include <sys/ioctl.h>
++#ifndef __serenity__
+ #include <sys/syscall.h>
++#endif
+ #include <sys/socket.h>
+ #include <sys/wait.h>
+ 
+diff --git a/servconf.c b/servconf.c
+index ba0a92c7..02b68a9a 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -20,7 +20,9 @@
+ #endif
+ 
+ #include <netinet/in.h>
++#ifndef __serenity__
+ #include <netinet/in_systm.h>
++#endif
+ #include <netinet/ip.h>
+ #ifdef HAVE_NET_ROUTE_H
+ #include <net/route.h>
+diff --git a/ssh-add.c b/ssh-add.c
+index a40198ab..e218270b 100644
+--- a/ssh-add.c
++++ b/ssh-add.c
+@@ -535,6 +535,7 @@ lock_agent(int agent_fd, int lock)
+ 	return (ret);
+ }
+ 
++#ifndef __serenity__
+ static int
+ load_resident_keys(int agent_fd, const char *skprovider, int qflag)
+ {
+@@ -583,6 +584,7 @@ load_resident_keys(int agent_fd, const char *skprovider, int qflag)
+ 		return SSH_ERR_KEY_NOT_FOUND;
+ 	return ok == 1 ? 0 : ok;
+ }
++#endif
+ 
+ static int
+ do_file(int agent_fd, int deleting, int key_only, char *file, int qflag,
+@@ -775,6 +777,7 @@ main(int argc, char **argv)
+ 			ret = 1;
+ 		goto done;
+ 	}
++	#ifndef __serenity__
+ 	if (do_download) {
+ 		if (skprovider == NULL)
+ 			fatal("Cannot download keys without provider");
+@@ -782,6 +785,7 @@ main(int argc, char **argv)
+ 			ret = 1;
+ 		goto done;
+ 	}
++	#endif
+ 	if (argc == 0) {
+ 		char buf[PATH_MAX];
+ 		struct passwd *pw;
+diff --git a/ssh-agent.c b/ssh-agent.c
+index e081413b..811dc115 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1308,10 +1308,12 @@ main(int ac, char **av)
+ 	 * a few spare for libc / stack protectors / sanitisers, etc.
+ 	 */
+ #define SSH_AGENT_MIN_FDS (3+1+1+1+4)
++#ifndef __serenity__
+ 	if (rlim.rlim_cur < SSH_AGENT_MIN_FDS)
+ 		fatal("%s: file descriptor rlimit %lld too low (minimum %u)",
+ 		    __progname, (long long)rlim.rlim_cur, SSH_AGENT_MIN_FDS);
+ 	maxfds = rlim.rlim_cur - SSH_AGENT_MIN_FDS;
++#endif
+ 
+ 	parent_pid = getpid();
+ 
+diff --git a/ssh-keygen.c b/ssh-keygen.c
+index 2c5c75db..85e8a9e2 100644
+--- a/ssh-keygen.c
++++ b/ssh-keygen.c
+@@ -1464,6 +1464,7 @@ do_change_passphrase(struct passwd *pw)
+ 	exit(0);
+ }
+ 
++#ifndef __serenity__
+ /*
+  * Print the SSHFP RR.
+  */
+@@ -1491,6 +1492,7 @@ do_print_resource_record(struct passwd *pw, char *fname, char *hname,
+ 	free(comment);
+ 	return 1;
+ }
++#endif
+ 
+ /*
+  * Change the comment of a private key file.
+@@ -2929,6 +2931,7 @@ skip_ssh_url_preamble(const char *s)
+ 	return s;
+ }
+ 
++#ifndef __serenity__
+ static int
+ do_download_sk(const char *skprovider, const char *device)
+ {
+@@ -3026,6 +3029,7 @@ do_download_sk(const char *skprovider, const char *device)
+ 	free(keys);
+ 	return ok ? 0 : -1;
+ }
++#endif
+ 
+ static void
+ usage(void)
+@@ -3437,6 +3441,7 @@ main(int argc, char **argv)
+ 	}
+ 	if (pkcs11provider != NULL)
+ 		do_download(pw);
++#ifndef __serenity__
+ 	if (download_sk) {
+ 		for (i = 0; i < nopts; i++) {
+ 			if (strncasecmp(opts[i], "device=", 7) == 0) {
+@@ -3448,6 +3453,7 @@ main(int argc, char **argv)
+ 		}
+ 		return do_download_sk(sk_provider, sk_device);
+ 	}
++#endif
+ 	if (print_fingerprint || print_bubblebabble)
+ 		do_fingerprint(pw);
+ 	if (change_passphrase)
+@@ -3465,6 +3471,8 @@ main(int argc, char **argv)
+ #endif /* WITH_OPENSSL */
+ 	if (print_public)
+ 		do_print_public(pw);
++
++#ifndef __serenity__
+ 	if (rr_hostname != NULL) {
+ 		unsigned int n = 0;
+ 
+@@ -3496,6 +3504,7 @@ main(int argc, char **argv)
+ 			exit(0);
+ 		}
+ 	}
++#endif
+ 
+ 	if (do_gen_candidates || do_screen_candidates) {
+ 		if (argc <= 0)
+@@ -3527,6 +3536,7 @@ main(int argc, char **argv)
+ 		printf("Generating public/private %s key pair.\n",
+ 		    key_type_name);
+ 	switch (type) {
++#ifndef __serenity__
+ 	case KEY_ECDSA_SK:
+ 	case KEY_ED25519_SK:
+ 		for (i = 0; i < nopts; i++) {
+@@ -3593,6 +3603,7 @@ main(int argc, char **argv)
+ 			passphrase = NULL;
+ 		}
+ 		break;
++#endif
+ 	default:
+ 		if ((r = sshkey_generate(type, bits, &private)) != 0)
+ 			fatal("sshkey_generate failed");
+diff --git a/ssh-keyscan.c b/ssh-keyscan.c
+index a5e64407..c7964ae9 100644
+--- a/ssh-keyscan.c
++++ b/ssh-keyscan.c
+@@ -311,7 +311,9 @@ keyprint_one(const char *host, struct sshkey *key)
+ 	found_one = 1;
+ 
+ 	if (print_sshfp) {
++#ifndef __serenity__
+ 		export_dns_rr(host, key, stdout, 0);
++#endif
+ 		return;
+ 	}
+ 
+diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
+index 8a0ffef5..12d05317 100644
+--- a/ssh-pkcs11-client.c
++++ b/ssh-pkcs11-client.c
+@@ -241,6 +241,7 @@ wrap_key(struct sshkey *k)
+ 		fatal("%s: unknown key type", __func__);
+ }
+ 
++#ifndef __serenity__
+ static int
+ pkcs11_start_helper_methods(void)
+ {
+@@ -310,6 +311,7 @@ pkcs11_start_helper(void)
+ 	fd = pair[0];
+ 	return (0);
+ }
++#endif
+ 
+ int
+ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
+@@ -323,7 +325,11 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
+ 	u_int nkeys, i;
+ 	struct sshbuf *msg;
+ 
+-	if (fd < 0 && pkcs11_start_helper() < 0)
++	if (fd < 0 
++#ifndef __serenity__
++		&& pkcs11_start_helper() < 0
++#endif
++		)
+ 		return (-1);
+ 
+ 	if ((msg = sshbuf_new()) == NULL)
+diff --git a/ssh-sk-client.c b/ssh-sk-client.c
+index 8d7e6c30..21b3ab39 100644
+--- a/ssh-sk-client.c
++++ b/ssh-sk-client.c
+@@ -15,6 +15,8 @@
+  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
++#ifndef __serenity__
++
+ #include "includes.h"
+ 
+ #include <sys/types.h>
+@@ -447,3 +449,5 @@ sshsk_load_resident(const char *provider_path, const char *device,
+ 	errno = oerrno;
+ 	return r;
+ }
++
++#endif
+diff --git a/sshbuf-misc.c b/sshbuf-misc.c
+index 9b5aa208..20c526b1 100644
+--- a/sshbuf-misc.c
++++ b/sshbuf-misc.c
+@@ -28,7 +28,9 @@
+ #include <stdio.h>
+ #include <limits.h>
+ #include <string.h>
++#ifndef __serenity__
+ #include <resolv.h>
++#endif
+ #include <ctype.h>
+ 
+ #include "ssherr.h"
+diff --git a/sshconnect.c b/sshconnect.c
+index af08be41..9e748a23 100644
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -120,6 +120,7 @@ stderr_null(void)
+ 		close(devnull);
+ }
+ 
++#ifndef __serenity__
+ /*
+  * Connect to the given ssh server using a proxy command that passes a
+  * a connected fd back to us.
+@@ -202,6 +203,7 @@ ssh_proxy_fdpass_connect(struct ssh *ssh, const char *host,
+ 
+ 	return 0;
+ }
++#endif
+ 
+ /*
+  * Connect to the given ssh server using a proxy command.
+@@ -566,10 +568,13 @@ ssh_connect(struct ssh *ssh, const char *host, const char *host_arg,
+ 		if ((ssh_packet_set_connection(ssh, in, out)) == NULL)
+ 			return -1; /* ssh_packet_set_connection logs error */
+ 		return 0;
+-	} else if (options.proxy_use_fdpass) {
++	} 
++	#ifndef __serenity__
++	else if (options.proxy_use_fdpass) {
+ 		return ssh_proxy_fdpass_connect(ssh, host, host_arg, port,
+ 		    options.proxy_command);
+ 	}
++	#endif
+ 	return ssh_proxy_connect(ssh, host, host_arg, port,
+ 	    options.proxy_command);
+ }
+@@ -1218,7 +1223,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key)
+ 			goto out;
+ 		}
+ 	}
+-
++#ifndef __serenity__
+ 	if (options.verify_host_key_dns) {
+ 		/*
+ 		 * XXX certs are not yet supported for DNS, so downgrade
+@@ -1247,6 +1252,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key)
+ 			}
+ 		}
+ 	}
++#endif
+ 	r = check_host_key(host, hostaddr, options.port, host_key, RDRW,
+ 	    options.user_hostfiles, options.num_user_hostfiles,
+ 	    options.system_hostfiles, options.num_system_hostfiles);
+diff --git a/sshd.c b/sshd.c
+index 6f8f11a3..1ecf3e32 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -1231,6 +1231,8 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
+ 				continue;
+ 			}
+ 
++// FIXME: socketpair is seemingly required for SSHD to work, but doesn't current exist.
++#ifndef __serenity__
+ 			if (rexec_flag && socketpair(AF_UNIX,
+ 			    SOCK_STREAM, 0, config_s) == -1) {
+ 				error("reexec socketpair: %s",
+@@ -1240,6 +1242,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
+ 				close(startup_p[1]);
+ 				continue;
+ 			}
++#endif
+ 
+ 			for (j = 0; j < options.max_startups; j++)
+ 				if (startup_pipes[j] == -1) {
+diff --git a/sshkey.c b/sshkey.c
+index 1571e3d9..2b5c611c 100644
+--- a/sshkey.c
++++ b/sshkey.c
+@@ -42,7 +42,9 @@
+ #include <limits.h>
+ #include <stdio.h>
+ #include <string.h>
++#ifndef __serenity__
+ #include <resolv.h>
++#endif
+ #include <time.h>
+ #ifdef HAVE_UTIL_H
+ #include <util.h>
+@@ -2759,6 +2761,7 @@ sshkey_sign(struct sshkey *key,
+ 	case KEY_ED25519_CERT:
+ 		r = ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
+ 		break;
++		#ifndef __serenity__
+ 	case KEY_ED25519_SK:
+ 	case KEY_ED25519_SK_CERT:
+ 	case KEY_ECDSA_SK_CERT:
+@@ -2766,6 +2769,7 @@ sshkey_sign(struct sshkey *key,
+ 		r = sshsk_sign(sk_provider, key, sigp, lenp, data,
+ 		    datalen, compat, /* XXX PIN */ NULL);
+ 		break;
++		#endif
+ #ifdef WITH_XMSS
+ 	case KEY_XMSS:
+ 	case KEY_XMSS_CERT:
diff --git a/Ports/openssh/patches/missing_stdio.patch b/Ports/openssh/patches/missing_stdio.patch
new file mode 100644
index 0000000000..7a2ca5a618
--- /dev/null
+++ b/Ports/openssh/patches/missing_stdio.patch
@@ -0,0 +1,16 @@
+87fc789d2db19db2a65cbf45b53afde5722ad1af Add missing stdio include in bsd-flock
+diff --git a/openbsd-compat/bsd-flock.c b/openbsd-compat/bsd-flock.c
+index 9b15d1ea..bf57389a 100644
+--- a/openbsd-compat/bsd-flock.c
++++ b/openbsd-compat/bsd-flock.c
+@@ -40,6 +40,10 @@
+ #include <errno.h>
+ #include <fcntl.h>
+ 
++#ifdef __serenity__
++#include <stdio.h>
++#endif
++
+ int
+ flock(int fd, int op)
+ {
diff --git a/Ports/openssh/patches/pledge_sigaction.patch b/Ports/openssh/patches/pledge_sigaction.patch
new file mode 100644
index 0000000000..d1f7e8a558
--- /dev/null
+++ b/Ports/openssh/patches/pledge_sigaction.patch
@@ -0,0 +1,42 @@
+f524cc245e63092372d78c3d80959b589aeebcc2 Add missing sigaction pledges
+diff --git a/clientloop.c b/clientloop.c
+index da396c72..3ff4ea89 100644
+--- a/clientloop.c
++++ b/clientloop.c
+@@ -1239,31 +1239,31 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
+ 	if (options.control_master &&
+ 	    !option_clear_or_none(options.control_path)) {
+ 		debug("pledge: id");
+-		if (pledge("stdio rpath wpath cpath unix inet dns recvfd sendfd proc exec id tty",
++		if (pledge("stdio rpath wpath cpath unix inet dns recvfd sendfd proc exec id tty sigaction",
+ 		    NULL) == -1)
+ 			fatal("%s pledge(): %s", __func__, strerror(errno));
+ 
+ 	} else if (options.forward_x11 || options.permit_local_command) {
+ 		debug("pledge: exec");
+-		if (pledge("stdio rpath wpath cpath unix inet dns proc exec tty",
++		if (pledge("stdio rpath wpath cpath unix inet dns proc exec tty sigaction",
+ 		    NULL) == -1)
+ 			fatal("%s pledge(): %s", __func__, strerror(errno));
+ 
+ 	} else if (options.update_hostkeys) {
+ 		debug("pledge: filesystem full");
+-		if (pledge("stdio rpath wpath cpath unix inet dns proc tty",
++		if (pledge("stdio rpath wpath cpath unix inet dns proc tty sigaction",
+ 		    NULL) == -1)
+ 			fatal("%s pledge(): %s", __func__, strerror(errno));
+ 
+ 	} else if (!option_clear_or_none(options.proxy_command) ||
+ 	    fork_after_authentication_flag) {
+ 		debug("pledge: proc");
+-		if (pledge("stdio cpath unix inet dns proc tty", NULL) == -1)
++		if (pledge("stdio cpath unix inet dns proc tty sigaction", NULL) == -1)
+ 			fatal("%s pledge(): %s", __func__, strerror(errno));
+ 
+ 	} else {
+ 		debug("pledge: network");
+-		if (pledge("stdio unix inet dns proc tty", NULL) == -1)
++		if (pledge("stdio unix inet dns proc tty sigaction", NULL) == -1)
+ 			fatal("%s pledge(): %s", __func__, strerror(errno));
+ 	}
+ 
diff --git a/Ports/openssh/patches/reimplement_read_passphrase.patch b/Ports/openssh/patches/reimplement_read_passphrase.patch
new file mode 100644
index 0000000000..d3eaf65213
--- /dev/null
+++ b/Ports/openssh/patches/reimplement_read_passphrase.patch
@@ -0,0 +1,99 @@
+81548c85897681d42968dd7ca228c6b128ac39f1 Reimplement read_passphrase as a C version of Core::get_password
+diff --git a/readpass.c b/readpass.c
+index 974d67f0..3496eebe 100644
+--- a/readpass.c
++++ b/readpass.c
+@@ -47,6 +47,10 @@
+ #include "ssh.h"
+ #include "uidswap.h"
+ 
++#ifdef __serenity__
++#include <termios.h>
++#endif
++
+ static char *
+ ssh_askpass(char *askpass, const char *msg, const char *env_hint)
+ {
+@@ -122,62 +126,33 @@ ssh_askpass(char *askpass, const char *msg, const char *env_hint)
+ char *
+ read_passphrase(const char *prompt, int flags)
+ {
+-	char cr = '\r', *askpass = NULL, *ret, buf[1024];
+-	int rppflags, use_askpass = 0, ttyfd;
+-	const char *askpass_hint = NULL;
++	// Reimplementation of Core::get_password
++	fwrite(prompt, sizeof(char), strlen(prompt), stdout);
++	fflush(stdout);
++
++	struct termios original;
++	tcgetattr(STDIN_FILENO, &original);
+ 
+-	rppflags = (flags & RP_ECHO) ? RPP_ECHO_ON : RPP_ECHO_OFF;
+-	if (flags & RP_USE_ASKPASS)
+-		use_askpass = 1;
+-	else if (flags & RP_ALLOW_STDIN) {
+-		if (!isatty(STDIN_FILENO)) {
+-			debug("read_passphrase: stdin is not a tty");
+-			use_askpass = 1;
+-		}
+-	} else {
+-		rppflags |= RPP_REQUIRE_TTY;
+-		ttyfd = open(_PATH_TTY, O_RDWR);
+-		if (ttyfd >= 0) {
+-			/*
+-			 * If we're on a tty, ensure that show the prompt at
+-			 * the beginning of the line. This will hopefully
+-			 * clobber any password characters the user has
+-			 * optimistically typed before echo is disabled.
+-			 */
+-			(void)write(ttyfd, &cr, 1);
+-			close(ttyfd);
+-		} else {
+-			debug("read_passphrase: can't open %s: %s", _PATH_TTY,
+-			    strerror(errno));
+-			use_askpass = 1;
+-		}
++	struct termios no_echo = original;
++	no_echo.c_lflag &= ~ECHO;
++	if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &no_echo) < 0) {
++		return errno;
+ 	}
+ 
+-	if ((flags & RP_USE_ASKPASS) && getenv("DISPLAY") == NULL)
+-		return (flags & RP_ALLOW_EOF) ? NULL : xstrdup("");
++	char* password = NULL;
++	size_t n = 0;
+ 
+-	if (use_askpass && getenv("DISPLAY")) {
+-		if (getenv(SSH_ASKPASS_ENV))
+-			askpass = getenv(SSH_ASKPASS_ENV);
+-		else
+-			askpass = _PATH_SSH_ASKPASS_DEFAULT;
+-		if ((flags & RP_ASK_PERMISSION) != 0)
+-			askpass_hint = "confirm";
+-		if ((ret = ssh_askpass(askpass, prompt, askpass_hint)) == NULL)
+-			if (!(flags & RP_ALLOW_EOF))
+-				return xstrdup("");
+-		return ret;
++	int ret = getline(&password, &n, stdin);
++	tcsetattr(STDIN_FILENO, TCSAFLUSH, &original);
++	putchar('\n');
++	if (ret < 0) {
++		return errno;
+ 	}
+ 
+-	if (readpassphrase(prompt, buf, sizeof buf, rppflags) == NULL) {
+-		if (flags & RP_ALLOW_EOF)
+-			return NULL;
+-		return xstrdup("");
+-	}
++	// Bit of a dirty way of removing the newline in password
++	password[strcspn(password, "\n")] = '\0';
+ 
+-	ret = xstrdup(buf);
+-	explicit_bzero(buf, sizeof(buf));
+-	return ret;
++	return password;
+ }
+ 
+ int
diff --git a/Ports/openssh/patches/remove_inet_aton_redef.patch b/Ports/openssh/patches/remove_inet_aton_redef.patch
new file mode 100644
index 0000000000..2d5cfd01f2
--- /dev/null
+++ b/Ports/openssh/patches/remove_inet_aton_redef.patch
@@ -0,0 +1,209 @@
+bf47ca1400b0548fdabff37c797c6afe89c2ce60 Remove inet_aton redefinition
+diff --git a/openbsd-compat/inet_aton.c b/openbsd-compat/inet_aton.c
+index 093a1720..8b0a0c5d 100644
+--- a/openbsd-compat/inet_aton.c
++++ b/openbsd-compat/inet_aton.c
+@@ -53,7 +53,7 @@
+ 
+ #include "includes.h"
+ 
+-#if !defined(HAVE_INET_ATON)
++#if !defined(__serenity__)
+ 
+ #include <sys/types.h>
+ #include <sys/param.h>
+@@ -84,96 +84,96 @@ inet_addr(const char *cp)
+  * This replaces inet_addr, the return value from which
+  * cannot distinguish between failure and a local broadcast address.
+  */
+-int
+-inet_aton(const char *cp, struct in_addr *addr)
+-{
+-	u_int32_t val;
+-	int base, n;
+-	char c;
+-	u_int parts[4];
+-	u_int *pp = parts;
++// int
++// inet_aton(const char *cp, struct in_addr *addr)
++// {
++// 	u_int32_t val;
++// 	int base, n;
++// 	char c;
++// 	u_int parts[4];
++// 	u_int *pp = parts;
+ 
+-	c = *cp;
+-	for (;;) {
+-		/*
+-		 * Collect number up to ``.''.
+-		 * Values are specified as for C:
+-		 * 0x=hex, 0=octal, isdigit=decimal.
+-		 */
+-		if (!isdigit(c))
+-			return (0);
+-		val = 0; base = 10;
+-		if (c == '0') {
+-			c = *++cp;
+-			if (c == 'x' || c == 'X')
+-				base = 16, c = *++cp;
+-			else
+-				base = 8;
+-		}
+-		for (;;) {
+-			if (isascii(c) && isdigit(c)) {
+-				val = (val * base) + (c - '0');
+-				c = *++cp;
+-			} else if (base == 16 && isascii(c) && isxdigit(c)) {
+-				val = (val << 4) |
+-					(c + 10 - (islower(c) ? 'a' : 'A'));
+-				c = *++cp;
+-			} else
+-				break;
+-		}
+-		if (c == '.') {
+-			/*
+-			 * Internet format:
+-			 *	a.b.c.d
+-			 *	a.b.c	(with c treated as 16 bits)
+-			 *	a.b	(with b treated as 24 bits)
+-			 */
+-			if (pp >= parts + 3)
+-				return (0);
+-			*pp++ = val;
+-			c = *++cp;
+-		} else
+-			break;
+-	}
+-	/*
+-	 * Check for trailing characters.
+-	 */
+-	if (c != '\0' && (!isascii(c) || !isspace(c)))
+-		return (0);
+-	/*
+-	 * Concoct the address according to
+-	 * the number of parts specified.
+-	 */
+-	n = pp - parts + 1;
+-	switch (n) {
++// 	c = *cp;
++// 	for (;;) {
++// 		/*
++// 		 * Collect number up to ``.''.
++// 		 * Values are specified as for C:
++// 		 * 0x=hex, 0=octal, isdigit=decimal.
++// 		 */
++// 		if (!isdigit(c))
++// 			return (0);
++// 		val = 0; base = 10;
++// 		if (c == '0') {
++// 			c = *++cp;
++// 			if (c == 'x' || c == 'X')
++// 				base = 16, c = *++cp;
++// 			else
++// 				base = 8;
++// 		}
++// 		for (;;) {
++// 			if (isascii(c) && isdigit(c)) {
++// 				val = (val * base) + (c - '0');
++// 				c = *++cp;
++// 			} else if (base == 16 && isascii(c) && isxdigit(c)) {
++// 				val = (val << 4) |
++// 					(c + 10 - (islower(c) ? 'a' : 'A'));
++// 				c = *++cp;
++// 			} else
++// 				break;
++// 		}
++// 		if (c == '.') {
++// 			/*
++// 			 * Internet format:
++// 			 *	a.b.c.d
++// 			 *	a.b.c	(with c treated as 16 bits)
++// 			 *	a.b	(with b treated as 24 bits)
++// 			 */
++// 			if (pp >= parts + 3)
++// 				return (0);
++// 			*pp++ = val;
++// 			c = *++cp;
++// 		} else
++// 			break;
++// 	}
++// 	/*
++// 	 * Check for trailing characters.
++// 	 */
++// 	if (c != '\0' && (!isascii(c) || !isspace(c)))
++// 		return (0);
++// 	/*
++// 	 * Concoct the address according to
++// 	 * the number of parts specified.
++// 	 */
++// 	n = pp - parts + 1;
++// 	switch (n) {
+ 
+-	case 0:
+-		return (0);		/* initial nondigit */
++// 	case 0:
++// 		return (0);		/* initial nondigit */
+ 
+-	case 1:				/* a -- 32 bits */
+-		break;
++// 	case 1:				/* a -- 32 bits */
++// 		break;
+ 
+-	case 2:				/* a.b -- 8.24 bits */
+-		if ((val > 0xffffff) || (parts[0] > 0xff))
+-			return (0);
+-		val |= parts[0] << 24;
+-		break;
++// 	case 2:				/* a.b -- 8.24 bits */
++// 		if ((val > 0xffffff) || (parts[0] > 0xff))
++// 			return (0);
++// 		val |= parts[0] << 24;
++// 		break;
+ 
+-	case 3:				/* a.b.c -- 8.8.16 bits */
+-		if ((val > 0xffff) || (parts[0] > 0xff) || (parts[1] > 0xff))
+-			return (0);
+-		val |= (parts[0] << 24) | (parts[1] << 16);
+-		break;
++// 	case 3:				/* a.b.c -- 8.8.16 bits */
++// 		if ((val > 0xffff) || (parts[0] > 0xff) || (parts[1] > 0xff))
++// 			return (0);
++// 		val |= (parts[0] << 24) | (parts[1] << 16);
++// 		break;
+ 
+-	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
+-		if ((val > 0xff) || (parts[0] > 0xff) || (parts[1] > 0xff) || (parts[2] > 0xff))
+-			return (0);
+-		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
+-		break;
+-	}
+-	if (addr)
+-		addr->s_addr = htonl(val);
+-	return (1);
+-}
++// 	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
++// 		if ((val > 0xff) || (parts[0] > 0xff) || (parts[1] > 0xff) || (parts[2] > 0xff))
++// 			return (0);
++// 		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
++// 		break;
++// 	}
++// 	if (addr)
++// 		addr->s_addr = htonl(val);
++// 	return (1);
++// }
+ 
+ #endif /* !defined(HAVE_INET_ATON) */
+diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
+index e5fd6f5b..cb9e1aa0 100644
+--- a/openbsd-compat/openbsd-compat.h
++++ b/openbsd-compat/openbsd-compat.h
+@@ -153,7 +153,7 @@ char *inet_ntoa(struct in_addr in);
+ const char *inet_ntop(int af, const void *src, char *dst, socklen_t size);
+ #endif
+ 
+-#ifndef HAVE_INET_ATON
++#if !defined(HAVE_INET_ATON) && !defined(__serenity__)
+ int inet_aton(const char *cp, struct in_addr *addr);
+ #endif
+ 
diff --git a/Ports/openssh/patches/scanf_assume_ssh20.patch b/Ports/openssh/patches/scanf_assume_ssh20.patch
new file mode 100644
index 0000000000..e50bf742c8
--- /dev/null
+++ b/Ports/openssh/patches/scanf_assume_ssh20.patch
@@ -0,0 +1,51 @@
+05b4800c752f5c57deec758118b28fc329a226e8 %.100s and sscanf doesn't do as expected
+diff --git a/kex.c b/kex.c
+index 09c7258e..4c670986 100644
+--- a/kex.c
++++ b/kex.c
+@@ -1182,7 +1182,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+ 	sshbuf_reset(our_version);
+ 	if (version_addendum != NULL && *version_addendum == '\0')
+ 		version_addendum = NULL;
+-	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
++	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s\r\n",
+ 	   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+ 	    version_addendum == NULL ? "" : " ",
+ 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
+@@ -1210,7 +1210,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+ 		r = SSH_ERR_ALLOC_FAIL;
+ 		goto out;
+ 	}
+-	debug("Local version string %.100s", our_version_string);
++	debug("Local version string %s", our_version_string);
+ 
+ 	/* Read other side's version identification. */
+ 	for (n = 0; ; n++) {
+@@ -1310,6 +1310,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+ 		goto out;
+ 	}
+ 
++#ifndef __serenity__
+ 	/*
+ 	 * Check that the versions match.  In future this might accept
+ 	 * several versions and set appropriate flags to handle them.
+@@ -1318,11 +1319,19 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+ 	    &remote_major, &remote_minor, remote_version) != 3) {
+ 		error("Bad remote protocol version identification: '%.100s'",
+ 		    peer_version_string);
++#else
++	// Assume SSH2.0 for now
++	remote_major = 2;
++	remote_minor = 0;
++	// Don't want this executing with other paths but we still need the invalid label.
++	if (0)
++	{
+  invalid:
+ 		send_error(ssh, "Invalid SSH identification string.");
+ 		r = SSH_ERR_INVALID_FORMAT;
+ 		goto out;
+ 	}
++#endif
+ 	debug("Remote protocol version %d.%d, remote software version %.100s",
+ 	    remote_major, remote_minor, remote_version);
+ 	ssh->compat = compat_datafellows(remote_version);
diff --git a/Ports/openssh/patches/sftp_pipes.patch b/Ports/openssh/patches/sftp_pipes.patch
new file mode 100644
index 0000000000..10838cdc9d
--- /dev/null
+++ b/Ports/openssh/patches/sftp_pipes.patch
@@ -0,0 +1,16 @@
+e5a0b5cc530260b1ee94105e8c989ba21856b4a2 Use pipes instead of socketpair in SFTP
+diff --git a/sftp.c b/sftp.c
+index 2799e4a1..9ce7055a 100644
+--- a/sftp.c
++++ b/sftp.c
+@@ -2296,6 +2296,10 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2)
+ 	return (err >= 0 ? 0 : -1);
+ }
+ 
++#ifdef __serenity__
++#define USE_PIPES 1
++#endif
++
+ static void
+ connect_to_server(char *path, char **args, int *in, int *out)
+ {