diff --git a/crypto/openssh/configure.ac b/crypto/openssh/configure.ac
index 428f3ff55a87..28a64d8f07db 100644
--- a/crypto/openssh/configure.ac
+++ b/crypto/openssh/configure.ac
@@ -3263,16 +3263,16 @@ if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
 		LIBFIDO2=`$PKGCONFIG --libs libfido2`
 		CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
 	else
-		LIBFIDO2="-lfido2 -lcbor"
+		LIBFIDO2="-lprivatefido2 -lprivatecbor"
 	fi
 	OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
-	AC_CHECK_LIB([fido2], [fido_init],
+	AC_CHECK_LIB([privatefido2], [fido_init],
 		[
 			AC_SUBST([LIBFIDO2])
 			AC_DEFINE([ENABLE_SK_INTERNAL], [],
 			    [Enable for built-in U2F/FIDO support])
 			enable_sk="built-in"
-		], [ AC_MSG_ERROR([no usable libfido2 found]) ],
+		], [ AC_MSG_ERROR([no usable libprivatefido2 found]) ],
 		[ $OTHERLIBS ]
 	)
 	saved_LIBS="$LIBS"
diff --git a/crypto/openssh/freebsd-configure.sh b/crypto/openssh/freebsd-configure.sh
index 4d405a0ffacb..3cde318ade58 100755
--- a/crypto/openssh/freebsd-configure.sh
+++ b/crypto/openssh/freebsd-configure.sh
@@ -12,7 +12,6 @@ configure_args="
     --with-libedit
     --with-ssl-engine
     --without-xauth
-    --without-security-key-builtin
 "
 
 set -e
@@ -34,11 +33,28 @@ sh configure $configure_args --with-kerberos5=/usr
 mv config.log config.log.kerberos5
 mv config.h config.h.kerberos5
 
-# Generate config.h without krb5
-sh configure $configure_args --without-kerberos5
+# Generate config.h with built-in security key support
+#
+# We install libcbor and libfido2 as PRIVATELIB, so the headers are not
+# available for configure - add their paths via CFLAGS as a slight hack.
+# configure.ac is also patched to specify -lprivatecbor and -lprivatefido2
+# rather than -lcbor and -lfido2.
+export CFLAGS="-I$openssh/../../contrib/libcbor/src -I$openssh/../../contrib/libfido2/src"
+sh configure $configure_args --with-security-key-builtin
+unset CFLAGS
+mv config.log config.log.sk-builtin
+mv config.h config.h.sk-builtin
+
+# Generate config.h without krb5 or SK support
+sh configure $configure_args --without-kerberos5 --without-security-key-builtin
 
 # Extract the difference
 echo '/* $Free''BSD$ */' > krb5_config.h
 diff -u config.h.kerberos5 config.h |
 	sed -n '/^-#define/s/^-//p' |
 	grep -Ff /dev/stdin config.h.kerberos5 >> krb5_config.h
+
+# Extract the difference - SK
+diff -u config.h.sk-builtin config.h |
+    sed -n '/^-#define/s/^-//p' |
+    grep -Ff /dev/stdin config.h.sk-builtin > sk_config.h