diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff
--- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff	2020-02-15 12:50:44.413776914 -0800
+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff	2020-02-15 12:53:06.190742744 -0800
@@ -3,9 +3,9 @@
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -42,7 +42,7 @@ CC=@CC@
- LD=@LD@
- CFLAGS=@CFLAGS@
+ CFLAGS_NOPIE=@CFLAGS_NOPIE@
  CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ PICFLAG=@PICFLAG@
 -LIBS=@LIBS@
 +LIBS=@LIBS@ -lpthread
  K5LIBS=@K5LIBS@
@@ -902,14 +902,14 @@
  
  /*
 @@ -2118,6 +2125,8 @@ fill_default_options(Options * options)
+ 		options->canonicalize_hostname = SSH_CANONICALISE_NO;
+ 	if (options->fingerprint_hash == -1)
  		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
- 	if (options->update_hostkeys == -1)
- 		options->update_hostkeys = 0;
 +	if (options->disable_multithreaded == -1)
 +		options->disable_multithreaded = 0;
- 
- 	/* Expand KEX name lists */
- 	all_cipher = cipher_alg_list(',', 0);
+ #ifdef ENABLE_SK_INTERNAL
+ 	if (options->sk_provider == NULL)
+ 		options->sk_provider = xstrdup("internal");
 diff --git a/readconf.h b/readconf.h
 index 8e36bf32..c803eca7 100644
 --- a/readconf.h
@@ -952,9 +952,9 @@
  	sPort, sHostKeyFile, sLoginGraceTime,
  	sPermitRootLogin, sLogFacility, sLogLevel,
 @@ -643,6 +647,7 @@ static struct {
- 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
  	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+ 	{ "include", sInclude, SSHCFG_ALL },
 +	{ "disableMTAES", sDisableMTAES, SSHCFG_ALL },
  	{ "ipqos", sIPQoS, SSHCFG_ALL },
  	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff	2020-02-15 12:50:44.413776914 -0800
+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff	2020-02-15 12:51:19.541768656 -0800
@@ -409,18 +409,10 @@
 index 817da43b..b2bcf78f 100644
 --- a/packet.c
 +++ b/packet.c
-@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
  	return 0;
  }
  
-+/* this supports the forced rekeying required for the NONE cipher */
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+	rekey_requested = 1;
-+}
-+
 +/* used to determine if pre or post auth when rekeying for aes-ctr
 + * and none cipher switch */
 +int
@@ -434,20 +426,6 @@
  #define MAX_PACKETS	(1U<<31)
  static int
  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
- 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
- 		return 0;
- 
-+	/* used to force rekeying when called for by the none
-+         * cipher switch methods -cjr */
-+        if (rekey_requested == 1) {
-+                rekey_requested = 0;
-+                return 1;
-+        }
-+
- 	/* Time-based rekeying */
- 	if (state->rekey_interval != 0 &&
- 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
 diff --git a/packet.h b/packet.h
 index 8ccfd2e0..1ad9bc06 100644
 --- a/packet.h
@@ -476,9 +454,9 @@
  /* Format of the configuration file:
  
 @@ -167,6 +168,8 @@ typedef enum {
- 	oHashKnownHosts,
  	oTunnel, oTunnelDevice,
  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ 	oDisableMTAES,
 +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
 +	oNoneEnabled, oNoneSwitch,
  	oVisualHostKey,
@@ -615,9 +593,9 @@
  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
  	SyslogFacility log_facility;	/* Facility for system logging. */
 @@ -112,7 +116,10 @@ typedef struct {
- 
  	int	enable_ssh_keysign;
  	int64_t rekey_limit;
+ 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
 +	int     none_switch;    /* Use none cipher */
 +	int     none_enabled;   /* Allow none to be used */
  	int	rekey_interval;
@@ -700,9 +678,9 @@
 +			options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
 +	}
 +
+ 	if (options->disable_multithreaded == -1)
+ 		options->disable_multithreaded = 0;
  	if (options->ip_qos_interactive == -1)
- 		options->ip_qos_interactive = IPTOS_DSCP_AF21;
- 	if (options->ip_qos_bulk == -1)
 @@ -486,6 +532,8 @@ typedef enum {
  	sPasswordAuthentication, sKbdInteractiveAuthentication,
  	sListenAddress, sAddressFamily,
@@ -1079,11 +1057,11 @@
  	xxx_host = host;
  	xxx_hostaddr = hostaddr;
  
-@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
  
  	if (!authctxt.success)
  		fatal("Authentication failed.");
-+
+ 
 +	/*
 +	 * If the user wants to use the none cipher, do it post authentication
 +	 * and only if the right conditions are met -- both of the NONE commands
@@ -1105,9 +1083,9 @@
 +		}
 +	}
 +
- 	debug("Authentication succeeded (%s).", authctxt.method->name);
- }
- 
+ #ifdef WITH_OPENSSL
+ 	if (options.disable_multithreaded == 0) {
+ 		/* if we are using aes-ctr there can be issues in either a fork or sandbox
 diff --git a/sshd.c b/sshd.c
 index 11571c01..23a06022 100644
 --- a/sshd.c