I thought Homebrew patched OpensSSH using Apple's keychain patch, but looking at the formula right now I see
# Please don't resubmit the keychain patch option. It will never be accepted.
# https://github.com/Homebrew/homebrew-dupes/pull/482#issuecomment-118994372
Sadly the homebrew-dupes repo seems to have been deleted so this comment can't be read anymore.
> We are uncomfortable continually supporting a 1900+ line patch which upstream hasn't signed off on that has the potential to both compromise OpenSSH security and Keychain security. From 10.11 it will also be impossible to edit plists in /System/* without disabling rootless, which isn't a configuration we'll be intentionally supporting.
Oh god no. Homebrew managing openssh has been the cause of more command-line instability and forced reinstalls than anything else I’ve encountered in the last few years of OS X (sorry, macOS). I’ve started installing stuff from source again just to prevent a cascade of Homebrew upgrades breaking everything.
I sometimes use NetBSD's pkgsrc on macOS because it installs super cleanly in any prefix you like and never, ever breaks the system. It doesn't have everything, and you will occasionally encounter a package that won't build, but it doesn't even dream of taking over /usr/local or disrupting your system. You could install it into your home directory if you wanted to (which I have done, on systems where I don't have root or enough ownership to just throw things anywhere)
I always build SSH from source myself using my own scripts and meta-makefiles. Both the most recent OpenSSH release, and the latest one supported by HPN-SSH (for use on high-latency links).
OpenSSH 8.2p1 notably has support for using FIDO U2F 2FA keys to secure SSH keys, it works perfectly, as long as your server also runs 8.2p1 (only the client needs to be compiled with libFIDO2).
As for the Catalina train wreck, it's clear both hardware and software quality is on a severe downward trend at Apple, you can either rant and moan about it, or take control back by switching to Linux or BSD, which is what I am doing, very slowly and deliberately.
Never experienced this in a decade or so of using Homebrew's OpenSSH, but you can absolutely use something other than Homebrew to get a more up-to-date and standard OpenSSH install if you prefer.
> I'm not sure what's the current state, but there are features on SSH I wasn't able to use due to the version provided being old.
> I know that `Include` on `config` is/was one.
That's both terribly out of date info and hardly ever true as far as I can tell.
The Include directive was a new feature of OpenSSH 7.3, released on 2016-08-01.[1] Apple shipped OpenSSH 7.3 in macOS 10.12.2[2][3], released on 2016-12-13. That's a very reasonable four months gap.
I only use the system ssh because stock OpenSSH didn't integrate well with system keychain many years ago (not sure about the current state). But I've been using the Include directive for a long time.
