diff --git a/UPDATING b/UPDATING
index 4aa47fd8a554..c3509cd18551 100644
--- a/UPDATING
+++ b/UPDATING
@@ -5,6 +5,14 @@ they are unavoidable.
 You should get into the habit of checking this file for changes each time
 you update your ports collection, before attempting any port upgrades.
 
+20150322:
+  AFFECTS: Users of security/openssh-portable
+  AUTHOR: bdrewery@FreeBSD.org
+
+  The port now uses VersionAddendum for the port version string. Setting
+  the value to "none" in your sshd_config and restarting openssh will allow
+  removing the version from the banner.
+
 20150321:
   AFFECTS: Users of x11-servers/xorg-server and other X servers
   AUTHOR: bapt@FreeBSD.org
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 9b96fb614097..0dd3519198d8 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=	openssh
 DISTVERSION=	6.7p1
-PORTREVISION=	2
+PORTREVISION=	3
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	${MASTER_SITE_OPENBSD}
@@ -200,6 +200,8 @@ CONFIGURE_ARGS+=	--with-libs='${CONFIGURE_LIBS}'
 .endif
 
 RC_SCRIPT_NAME=		openssh
+VERSION_ADDENDUM_DEFAULT?=	${OPSYS}-${PKGNAME}
+VERSION_ADDENDUM_SERVCONF_GREP=	"		options->version_addendum = xstrdup"
 
 post-patch:
 	@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
@@ -212,18 +214,21 @@ post-patch:
 			${WRKSRC}/ssh_config.5
 	@${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \
 		-e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
-	@${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \
-		-e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h
-	@${ECHO_CMD} '#define FREEBSD_PORT_VERSION	" FreeBSD-${PKGNAME}"' >> \
+# Making this a patch conflicts with the X509 option. Use grep to force failure.
+	@${ECHO_CMD} "===> Applying VersionAddendum patch to servconf.c" && \
+	    ${GREP} -q ${VERSION_ADDENDUM_SERVCONF_GREP} \
+	    ${WRKSRC}/servconf.c && \
+	    ${REINPLACE_CMD} \
+	    -e 's|\(		${VERSION_ADDENDUM_SERVCONF_GREP}\).*);|\1(SSH_VERSION_FREEBSD_PORT);|' \
+	    ${WRKSRC}/servconf.c
+	@${REINPLACE_CMD} \
+	    -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \
+	    ${WRKSRC}/sshd_config
+	@${REINPLACE_CMD} \
+	    -e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \
+	    ${WRKSRC}/sshd_config.5
+	@${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT	"${VERSION_ADDENDUM_DEFAULT}"' >> \
 		${WRKSRC}/version.h
-	@${ECHO_CMD} '#define SSH_VERSION	TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \
-		${WRKSRC}/version.h
-	@${ECHO_CMD} '#define SSH_RELEASE	TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \
-		${WRKSRC}/version.h
-.if ${PORT_OPTIONS:MHPN}
-	@${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION SSH_PORTABLE SSH_HPN|' \
-		${WRKSRC}/version.h
-.endif
 
 post-install:
 	${MV} ${STAGEDIR}${ETCDIR}/ssh_config \
diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c
index 67e45e98a1fe..c8d94fcfee94 100644
--- a/security/openssh-portable/files/patch-servconf.c
+++ b/security/openssh-portable/files/patch-servconf.c
@@ -1,6 +1,14 @@
---- servconf.c.orig	2013-05-12 21:26:30.642630751 -0500
-+++ servconf.c	2013-05-12 21:52:43.069625377 -0500
-@@ -162,7 +162,7 @@
+--- servconf.c.orig	2015-03-22 22:16:53.563005000 -0500
++++ servconf.c	2015-03-22 22:19:39.207917000 -0500
+@@ -54,6 +54,7 @@
+ #include "packet.h"
+ #include "hostfile.h"
+ #include "auth.h"
++#include "version.h"
+ 
+ static void add_listen_addr(ServerOptions *, char *, int);
+ static void add_one_listen_addr(ServerOptions *, char *, int);
+@@ -173,7 +174,7 @@ fill_default_server_options(ServerOption
  
  	/* Portable-specific options */
  	if (options->use_pam == -1)
@@ -9,7 +17,7 @@
  
  	/* Standard Options */
  	if (options->protocol == SSH_PROTO_UNKNOWN)
-@@ -197,7 +197,7 @@
+@@ -210,7 +211,7 @@ fill_default_server_options(ServerOption
  	if (options->key_regeneration_time == -1)
  		options->key_regeneration_time = 3600;
  	if (options->permit_root_login == PERMIT_NOT_SET)
@@ -18,7 +26,7 @@
  	if (options->ignore_rhosts == -1)
  		options->ignore_rhosts = 1;
  	if (options->ignore_user_known_hosts == -1)
-@@ -207,7 +207,7 @@
+@@ -220,7 +221,7 @@ fill_default_server_options(ServerOption
  	if (options->print_lastlog == -1)
  		options->print_lastlog = 1;
  	if (options->x11_forwarding == -1)
@@ -27,7 +35,7 @@
  	if (options->x11_display_offset == -1)
  		options->x11_display_offset = 10;
  	if (options->x11_use_localhost == -1)
-@@ -245,7 +245,11 @@
+@@ -262,7 +263,11 @@ fill_default_server_options(ServerOption
  	if (options->gss_cleanup_creds == -1)
  		options->gss_cleanup_creds = 1;
  	if (options->password_authentication == -1)
@@ -39,8 +47,8 @@
  	if (options->kbd_interactive_authentication == -1)
  		options->kbd_interactive_authentication = 0;
  	if (options->challenge_response_authentication == -1)
-@@ -335,7 +339,7 @@
- 		options->version_addendum = xstrdup("");
+@@ -368,7 +373,7 @@ fill_default_server_options(ServerOption
+ 		options->fwd_opts.streamlocal_bind_unlink = 0;
  	/* Turn privilege separation on by default */
  	if (use_privsep == -1)
 -		use_privsep = PRIVSEP_NOSANDBOX;
diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5
index 93d7bec1f85f..e13d32dcfc67 100644
--- a/security/openssh-portable/files/patch-sshd_config.5
+++ b/security/openssh-portable/files/patch-sshd_config.5
@@ -1,6 +1,6 @@
 --- sshd_config.5.orig	2014-10-02 18:24:57.000000000 -0500
-+++ sshd_config.5	2014-11-03 16:49:35.943778119 -0600
-@@ -304,7 +304,9 @@
++++ sshd_config.5	2015-03-22 21:57:45.538655000 -0500
+@@ -304,7 +304,9 @@ By default, no banner is displayed.
  .It Cm ChallengeResponseAuthentication
  Specifies whether challenge-response authentication is allowed (e.g. via
  PAM or through authentication styles supported in
@@ -11,7 +11,7 @@
  The default is
  .Dq yes .
  .It Cm ChrootDirectory
-@@ -615,7 +617,7 @@
+@@ -615,7 +617,7 @@ or
  .Pp
  .Pa /etc/hosts.equiv
  and
@@ -20,7 +20,7 @@
  are still used.
  The default is
  .Dq yes .
-@@ -977,7 +979,22 @@
+@@ -977,7 +979,22 @@ are refused if the number of unauthentic
  .It Cm PasswordAuthentication
  Specifies whether password authentication is allowed.
  The default is
@@ -43,7 +43,7 @@
  .It Cm PermitEmptyPasswords
  When password authentication is allowed, it specifies whether the
  server allows login to accounts with empty password strings.
-@@ -1023,7 +1040,14 @@
+@@ -1023,7 +1040,14 @@ The argument must be
  or
  .Dq no .
  The default is
@@ -59,7 +59,7 @@
  .Pp
  If this option is set to
  .Dq without-password ,
-@@ -1178,7 +1202,9 @@
+@@ -1178,7 +1202,9 @@ an OpenSSH Key Revocation List (KRL) as 
  For more information on KRLs, see the KEY REVOCATION LISTS section in
  .Xr ssh-keygen 1 .
  .It Cm RhostsRSAAuthentication
@@ -70,7 +70,7 @@
  with successful RSA host authentication is allowed.
  The default is
  .Dq no .
-@@ -1343,7 +1369,7 @@
+@@ -1343,7 +1369,7 @@ is enabled, you will not be able to run
  .Xr sshd 8
  as a non-root user.
  The default is
@@ -79,7 +79,19 @@
  .It Cm UsePrivilegeSeparation
  Specifies whether
  .Xr sshd 8
-@@ -1379,7 +1405,7 @@
+@@ -1365,7 +1391,10 @@ restrictions.
+ Optionally specifies additional text to append to the SSH protocol banner
+ sent by the server upon connection.
+ The default is
+-.Dq none .
++.Dq %%SSH_VERSION_FREEBSD_PORT%% .
++The value
++.Dq none
++may be used to disable this.
+ .It Cm X11DisplayOffset
+ Specifies the first display number available for
+ .Xr sshd 8 Ns 's
+@@ -1379,7 +1408,7 @@ The argument must be
  or
  .Dq no .
  The default is