--- hpn-ssh-hpn-18.4.2/pathnames.h.orig
+++ hpn-ssh-hpn-18.4.2/pathnames.h
@@ -42,6 +42,7 @@
 #define _PATH_HOST_XMSS_KEY_FILE	SSHDIR "/ssh_host_xmss_key"
 #define _PATH_HOST_RSA_KEY_FILE		SSHDIR "/ssh_host_rsa_key"
 #define _PATH_DH_MODULI			SSHDIR "/moduli"
+#define _PATH_DEFAULT_LOGIN		ETCDIR "/default/login"
 
 #ifndef _PATH_SSH_PROGRAM
 #define _PATH_SSH_PROGRAM		"/usr/bin/hpnssh"
--- hpn-ssh-hpn-18.4.2/servconf.c.orig
+++ hpn-ssh-hpn-18.4.2/servconf.c
@@ -36,6 +36,7 @@
 #include <unistd.h>
 #include <limits.h>
 #include <stdarg.h>
+#include <deflt.h>
 #include <errno.h>
 #ifdef HAVE_UTIL_H
 #include <util.h>
@@ -224,6 +225,64 @@
 	return o == NULL || strcasecmp(o, "none") == 0;
 }
 
+/*
+ * Reads /etc/default/login and defaults several ServerOptions:
+ *
+ * PermitRootLogin
+ * PermitEmptyPasswords
+ * LoginGraceTime
+ *
+ * CONSOLE=*      -> PermitRootLogin=without-password
+ * #CONSOLE=*     -> PermitRootLogin=yes
+ *
+ * PASSREQ=YES    -> PermitEmptyPasswords=no
+ * PASSREQ=NO     -> PermitEmptyPasswords=yes
+ * #PASSREQ=*     -> PermitEmptyPasswords=no
+ *
+ * TIMEOUT=<secs> -> LoginGraceTime=<secs>
+ * #TIMEOUT=<secs> -> LoginGraceTime=300
+ */
+static void
+deflt_fill_default_server_options(ServerOptions *options)
+{
+	int	flags;
+	char	*ptr;
+
+	if (defopen(_PATH_DEFAULT_LOGIN))
+		return;
+
+	/* Ignore case */
+	flags = defcntl(DC_GETFLAGS, 0);
+	TURNOFF(flags, DC_CASE);
+	(void) defcntl(DC_SETFLAGS, flags);
+
+	if (options->permit_root_login == PERMIT_NOT_SET &&
+	    (ptr = defread("CONSOLE=")) != NULL)
+		options->permit_root_login = PERMIT_NO_PASSWD;
+
+	if (options->permit_empty_passwd == -1 &&
+	    (ptr = defread("PASSREQ=")) != NULL) {
+		if (strcasecmp("YES", ptr) == 0)
+			options->permit_empty_passwd = 0;
+		else if (strcasecmp("NO", ptr) == 0)
+			options->permit_empty_passwd = 1;
+	}
+
+	if (options->max_authtries == -1 &&
+	    (ptr = defread("RETRIES=")) != NULL) {
+		options->max_authtries = atoi(ptr);
+	}
+
+	if (options->login_grace_time == -1) {
+		if ((ptr = defread("TIMEOUT=")) != NULL)
+			options->login_grace_time = (unsigned)atoi(ptr);
+		else
+			options->login_grace_time = 300;
+	}
+
+	(void) defopen((char *)NULL);
+}
+
 static void
 assemble_algorithms(ServerOptions *o)
 {
@@ -304,6 +363,8 @@
 		options->use_pam = 0;
 #endif
 
+	deflt_fill_default_server_options(options);
+
 	/* Standard Options */
 	if (options->num_host_key_files == 0) {
 		/* fill default hostkeys for protocols */
--- hpn-ssh-hpn-18.4.2/hpnsshd_config.5.orig
+++ hpn-ssh-hpn-18.4.2/hpnsshd_config.5
@@ -1349,7 +1349,14 @@
 connection.
 Once the number of failures reaches half this value,
 additional failures are logged.
-The default is 6.
+The default is 6, or the value given by
+.Dq RETRIES=
+in the file
+.Pa /etc/default/login ,
+if available
+.Po see
+.Xr login 1
+.Pc .
 .It Cm MaxSessions
 Specifies the maximum number of open shell, login or subsystem (e.g. sftp)
 sessions permitted per network connection.
@@ -1437,7 +1444,14 @@
 When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.
 The default is
-.Cm no .
+.Cm no
+unless
+.Dq PASSREQ=YES
+is present in
+.Pa /etc/default/login
+.Po see
+.Xr login 1
+.Pc .
 .It Cm PermitListen
 Specifies the addresses/ports on which a remote TCP port forwarding may listen.
 The listen specification must be one of the following forms: