--- sshd_config.5.orig	2017-10-12 11:51:06.638814000 -0700
+++ sshd_config.5	2017-10-12 11:51:33.780459000 -0700
@@ -1682,7 +1682,57 @@ is set to
 then the pre-authentication unprivileged process is subject to additional
 restrictions.
 The default is
-.Cm sandbox .
+.Cm no .
+.It Cm VersionAddendum
+Optionally specifies additional text to append to the SSH protocol banner
+sent by the server upon connection.
+The default is
+.Cm none .
+.It Cm X11DisplayOffset
+Specifies the first display number available for
+.Xr sshd 8 Ns 's
+X11 forwarding.
+This prevents sshd from interfering with real X11 servers.
+The default is 10.
+.It Cm X11Forwarding
+Specifies whether X11 forwarding is permitted.
+The argument must be
+.Cm yes
+or
+.Cm no .
+The default is
+.Cm no .
+.Pp
+When X11 forwarding is enabled, there may be additional exposure to
+the server and to client displays if the
+.Xr sshd 8
+proxy display is configured to listen on the wildcard address (see
+.Cm X11UseLocalhost ) ,
+though this is not the default.
+Additionally, the authentication spoofing and authentication data
+verification and substitution occur on the client side.
+The security risk of using X11 forwarding is that the client's X11
+display server may be exposed to attack when the SSH client requests
+forwarding (see the warnings for
+.Cm ForwardX11
+in
+.Xr ssh_config 5 ) .
+A system administrator may have a stance in which they want to
+protect clients that may expose themselves to attack by unwittingly
+requesting X11 forwarding, which can warrant a
+.Cm no
+setting.
+.Pp
+Note that disabling X11 forwarding does not prevent users from
+forwarding X11 traffic, as users can always install their own forwarders.
+.It Cm X11UseLocalhost
+Specifies whether
+.Xr sshd 8
+should bind the X11 forwarding server to the loopback address or to
+the wildcard address.
+By default,
+sshd binds the forwarding server to the loopback address and sets the
+hostname part of the
 .It Cm VACertificateFile
 File with X.509 certificates in PEM format concatenated together.
 In use when
@@ -1735,56 +1785,6 @@ URL of the OCSP provider. In use when
 .Cm VAType
 is set to
 .Cm ocspspec .
-.It Cm VersionAddendum
-Optionally specifies additional text to append to the SSH protocol banner
-sent by the server upon connection.
-The default is
-.Cm none .
-.It Cm X11DisplayOffset
-Specifies the first display number available for
-.Xr sshd 8 Ns 's
-X11 forwarding.
-This prevents sshd from interfering with real X11 servers.
-The default is 10.
-.It Cm X11Forwarding
-Specifies whether X11 forwarding is permitted.
-The argument must be
-.Cm yes
-or
-.Cm no .
-The default is
-.Cm no .
-.Pp
-When X11 forwarding is enabled, there may be additional exposure to
-the server and to client displays if the
-.Xr sshd 8
-proxy display is configured to listen on the wildcard address (see
-.Cm X11UseLocalhost ) ,
-though this is not the default.
-Additionally, the authentication spoofing and authentication data
-verification and substitution occur on the client side.
-The security risk of using X11 forwarding is that the client's X11
-display server may be exposed to attack when the SSH client requests
-forwarding (see the warnings for
-.Cm ForwardX11
-in
-.Xr ssh_config 5 ) .
-A system administrator may have a stance in which they want to
-protect clients that may expose themselves to attack by unwittingly
-requesting X11 forwarding, which can warrant a
-.Cm no
-setting.
-.Pp
-Note that disabling X11 forwarding does not prevent users from
-forwarding X11 traffic, as users can always install their own forwarders.
-.It Cm X11UseLocalhost
-Specifies whether
-.Xr sshd 8
-should bind the X11 forwarding server to the loopback address or to
-the wildcard address.
-By default,
-sshd binds the forwarding server to the loopback address and sets the
-hostname part of the
 .Ev DISPLAY
 environment variable to
 .Cm localhost .
--- openbsd-compat/port-net.c	2018-06-26 15:18:43.551904000 -0700
+++ openbsd-compat/port-net.c.orig	2018-04-01 22:38:28.000000000 -0700
@@ -186,8 +185,8 @@ sys_tun_open(int tun, int mode, char **ifname)
 	else
 		debug("%s: %s mode %d fd %d", __func__, ifr.ifr_name, mode, fd);
 
-	if (ifname != NULL)
-		*ifname = xstrdup(ifr.ifr_name);
+	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)))
+		goto failed;
 
 	return (fd);
 
@@ -273,8 +272,8 @@ sys_tun_open(int tun, int mode, char **ifname)
 			goto failed;
 	}
 
-	if (ifname != NULL)
-		*ifname = xstrdup(ifr.ifr_name);
+	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)))
+		goto failed;
 
 	close(sock);
 	return (fd);
--- ssh.c.orig	2018-04-01 22:38:28.000000000 -0700
+++ ssh.c	2018-06-26 15:22:02.947595000 -0700
@@ -1411,6 +1323,7 @@ main(int ac, char **av)
 		    (char *)NULL);
 		free(cp);
 	}
+	free(conn_hash_hex);
 
 	if (config_test) {
 		dump_client_config(&options, host);
