OpenSSH distributed in 8.7p1

 * Support for FIDO keys that require a PIN for each use.

You can generate these keys by using ssh-keygen with the new verify-required option.
When a PIN-required key is used, the user will be prompted for a PIN to complete the signature operation.

 * Added support for verifying FIDO webauthn signatures.
    (webauthn is a standard for using FIDO keys in web browsers.)

 * Client address-based rate-limiting (PerSourceMaxStartups, PerSourceNetBlockSize )

 * "Include" keyword in the sshd daemon allows glob patterns