diff --git a/default.nix b/default.nix
index 9f5c40e..d9639e4 100644
--- a/default.nix
+++ b/default.nix
@@ -3,6 +3,7 @@
 , options
 , pkgs
 , isUnstable
+, xinlib
 , ...
 }:
 let
@@ -15,7 +16,7 @@ let
     command="/run/current-system/sw/bin/xin-status",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9PIhQ+yWfBM2tEG+W8W8HXJXqISXif8BcPZHakKvLM xin-status
   '';
   gosignify = pkgs.callPackage ./pkgs/gosignify.nix { inherit isUnstable; };
-  myOpenSSH = pkgs.callPackage ./pkgs/openssh { };
+  myOpenSSH = pkgs.callPackage ./pkgs/openssh.nix { inherit config xinlib; };
 in
 {
   imports = [
@@ -198,7 +199,7 @@ in
       zsh.enable = true;
       gnupg.agent.enable = true;
       ssh = {
-        package = myOpenSSH.openssh;
+        package = myOpenSSH;
         agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
         knownHosts = {
           "[namish.otter-alligator.ts.net]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9jlU5XATs8N90mXuCqrflwOJ+s3s7LefDmFZBx8cCk";
diff --git a/overlays/openssh.nix b/overlays/openssh.nix
deleted file mode 100644
index a628135..0000000
--- a/overlays/openssh.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-let
-  openssh = _: super: {
-    openssh = super.openssh.overrideAttrs (_: rec {
-      version = "9.3p1";
-      src = super.fetchurl {
-        url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
-        hash = "sha256-6bq6dwGnalHz2Fpiw4OjydzZf6kAuFm8fbEUwYaK+Kg=";
-      };
-
-      patches = [
-        ./ssh-keysign-8.5.patch
-        ./dont_create_privsep_path.patch
-        ./locale_archive.patch
-      ];
-    });
-  };
-in
-openssh
diff --git a/pkgs/openssh/common.nix b/pkgs/openssh.nix
similarity index 59%
rename from pkgs/openssh/common.nix
rename to pkgs/openssh.nix
index 6d5fd58..58a9ef3 100644
--- a/pkgs/openssh/common.nix
+++ b/pkgs/openssh.nix
@@ -1,46 +1,56 @@
-{ pname
-, version
-, extraDesc ? ""
-, src
-, extraPatches ? [ ]
-, extraNativeBuildInputs ? [ ]
-, extraConfigureFlags ? [ ]
-, extraMeta ? { }
+{ autoreconfHook
+, config
+, etcDir ? "/etc/ssh"
+, fetchFromGitHub
+, hostname
+, lib
+, libedit
+, libfido2
+, libredirect
+, libressl
+, linkOpenssl ? true
+, pam
+, pkg-config
+, stdenv
+, withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl
+, withPAM ? stdenv.hostPlatform.isLinux
+, xinlib
+, zlib
 , ...
-}: { lib
-   , stdenv
-   , # This *is* correct, though unusual. as a way of getting krb5-config from the
-     # package without splicing See: https://github.com/NixOS/nixpkgs/pull/107606
-     pkgs
-   , autoreconfHook
-   , zlib
-   , libressl
-   , libedit
-   , pkg-config
-   , pam
-   , libredirect
-   , etcDir ? "/etc/ssh"
-   , withKerberos ? true
-   , libkrb5
-   , libfido2
-   , hostname
-   , nixosTests
-   , withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl
-   , withPAM ? stdenv.hostPlatform.isLinux
-   , linkOpenssl ? true
-   ,
-   }:
+}:
+let
+  inherit (builtins) readFile fromJSON;
+  verStr = fromJSON (readFile ./openssh/version.json);
+  hostStr = lib.strings.concatStrings [
+    "CI not configured on '"
+    config.networking.hostName
+    "': skipping OpenSSH tests"
+  ];
+in
 stdenv.mkDerivation {
-  inherit pname version src;
+  pname = "openssh";
+  inherit (verStr) version;
+
+  src = fetchFromGitHub {
+    inherit (verStr) rev hash;
+    owner = "openssh";
+    repo = "openssh-portable";
+  };
+
+  doCheck =
+    if config.xinCI.enable
+    then
+      true
+    else (lib.warn hostStr false);
 
   patches =
     [
-      ./locale_archive.patch
+      ./openssh/locale_archive.patch
+      ./openssh/ssh-keysign-8.5.patch
 
       # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
-      ./dont_create_privsep_path.patch
-    ]
-    ++ extraPatches;
+      ./openssh/dont_create_privsep_path.patch
+    ];
 
   postPatch =
     # On Hydra this makes installation fail (sometimes?),
@@ -51,16 +61,10 @@ stdenv.mkDerivation {
 
   strictDeps = true;
   nativeBuildInputs =
-    [ autoreconfHook pkg-config ]
-    # This is not the same as the libkrb5 from the inputs! pkgs.libkrb5 is
-    # needed here to access krb5-config in order to cross compile. See:
-    # https://github.com/NixOS/nixpkgs/pull/107606
-    ++ lib.optional withKerberos pkgs.libkrb5
-    ++ extraNativeBuildInputs;
+    [ autoreconfHook pkg-config ];
   buildInputs =
     [ zlib libressl libedit ]
     ++ lib.optional withFIDO libfido2
-    ++ lib.optional withKerberos libkrb5
     ++ lib.optional withPAM pam;
 
   preConfigure = ''
@@ -83,17 +87,15 @@ stdenv.mkDerivation {
     ]
     ++ lib.optional (etcDir != null) "--sysconfdir=${etcDir}"
     ++ lib.optional withFIDO "--with-security-key-builtin=yes"
-    ++ lib.optional withKerberos (assert libkrb5 != null; "--with-kerberos5=${libkrb5}")
     ++ lib.optional stdenv.isDarwin "--disable-libutil"
-    ++ lib.optional (!linkOpenssl) "--without-openssl"
-    ++ extraConfigureFlags;
+    ++ lib.optional (!linkOpenssl) "--without-openssl";
 
   ${
-  if stdenv.hostPlatform.isStatic
-  then "NIX_LDFLAGS"
-  else null
-  } =
-    [ "-laudit" ] ++ lib.optionals withKerberos [ "-lkeyutils" ];
+  if stdenv.hostPlatform.isStatic then
+    "NIX_LDFLAGS"
+  else
+    null
+  } = [ "-laudit" ];
 
   buildFlags = [ "SSH_KEYSIGN=ssh-keysign" ];
 
@@ -147,32 +149,21 @@ stdenv.mkDerivation {
     # set up NIX_REDIRECTS for direct invocations
     set -a; source ~/.ssh/environment.base; set +a
   '';
-  # integration tests hard to get working on darwin with its shaky
-  # sandbox
-  # t-exec tests fail on musl
-  checkTarget =
-    lib.optional (!stdenv.isDarwin && !stdenv.hostPlatform.isMusl) "t-exec"
-    # other tests are less demanding of the environment
-    ++ [ "unit" "file-tests" "interop-tests" ];
+
+  checkTarget = [ "t-exec" "unit" "file-tests" "interop-tests" ];
 
   installTargets = [ "install-nokeys" ];
   installFlags = [
     "sysconfdir=\${out}/etc/ssh"
   ];
 
-  passthru.tests = {
-    borgbackup-integration = nixosTests.borgbackup;
+  meta = with lib; {
+    description = "An implementation of the SSH protocol";
+    homepage = "https://www.openssh.com/";
+    changelog = "https://www.openssh.com/releasenotes.html";
+    license = licenses.bsd2;
+    platforms = platforms.unix ++ platforms.windows;
+    maintainers = with maintainers; [ qbit ];
+    mainProgram = "ssh";
   };
-
-  meta = with lib;
-    {
-      description = "An implementation of the SSH protocol${extraDesc}";
-      homepage = "https://www.openssh.com/";
-      changelog = "https://www.openssh.com/releasenotes.html";
-      license = licenses.bsd2;
-      platforms = platforms.unix ++ platforms.windows;
-      maintainers = (extraMeta.maintainers or [ ]) ++ (with maintainers; [ eelco aneeshusa ]);
-      mainProgram = "ssh";
-    }
-    // extraMeta;
 }
diff --git a/pkgs/openssh/default.nix b/pkgs/openssh/default.nix
deleted file mode 100644
index a7b1240..0000000
--- a/pkgs/openssh/default.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{ callPackage
-, lib
-, fetchFromGitHub
-, config
-,
-}:
-let
-  inherit (builtins) readFile fromJSON;
-  common = opts: callPackage (import ./common.nix opts) { };
-  verStr = fromJSON (readFile ./version.json);
-in
-{
-  openssh = common {
-    pname = "openssh";
-    inherit config;
-    inherit (verStr) version;
-
-    src = fetchFromGitHub {
-      inherit (verStr) rev hash;
-      owner = "openssh";
-      repo = "openssh-portable";
-    };
-
-    doCheck =
-      if config.xinCI.enable
-      then
-        true
-      else false;
-
-    extraPatches = [ ./ssh-keysign-8.5.patch ];
-    extraMeta.maintainers = with lib.maintainers; [ qbit ];
-  };
-}