diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c
--- a/crypto/openssh/auth-pam.c
+++ b/crypto/openssh/auth-pam.c
@@ -937,8 +937,8 @@
 				sshbuf_free(buffer);
 				return (0);
 			}
-			BLACKLIST_NOTIFY(NULL, BLACKLIST_BAD_USER,
-			    sshpam_authctxt->user);
+			BLACKLIST_NOTIFY(NULL, BLACKLIST_AUTH_FAIL,
+			    "PAM illegal user");
 			error("PAM: %s for %s%.100s from %.100s", msg,
 			    sshpam_authctxt->valid ? "" : "illegal user ",
 			    sshpam_authctxt->user, sshpam_rhost);
diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c
--- a/crypto/openssh/auth.c
+++ b/crypto/openssh/auth.c
@@ -289,7 +289,8 @@
 	else {
 		authmsg = authenticated ? "Accepted" : "Failed";
 		if (authenticated)
-			BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK, "ssh");
+			BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK,
+			    "Authenticated");
 	}
 
 	if ((extra = format_method_key(authctxt)) == NULL) {
@@ -338,6 +339,7 @@
 {
 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
 
+	BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Maximum attempts exceeded");
 	error("maximum authentication attempts exceeded for "
 	    "%s%.100s from %.200s port %d ssh2",
 	    authctxt->valid ? "" : "invalid user ",
@@ -498,7 +500,7 @@
 	aix_restoreauthdb();
 #endif
 	if (pw == NULL) {
-		BLACKLIST_NOTIFY(ssh, BLACKLIST_BAD_USER, user);
+		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Invalid user");
 		logit("Invalid user %.100s from %.100s port %d",
 		    user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
 #ifdef CUSTOM_FAILED_LOGIN
diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c
--- a/crypto/openssh/auth2.c
+++ b/crypto/openssh/auth2.c
@@ -52,7 +52,6 @@
 #include "dispatch.h"
 #include "pathnames.h"
 #include "ssherr.h"
-#include "blacklist_client.h"
 #ifdef GSSAPI
 #include "ssh-gss.h"
 #endif
@@ -443,10 +442,8 @@
 	} else {
 		/* Allow initial try of "none" auth without failure penalty */
 		if (!partial && !authctxt->server_caused_failure &&
-		    (authctxt->attempt > 1 || strcmp(method, "none") != 0)) {
+		    (authctxt->attempt > 1 || strcmp(method, "none") != 0))
 			authctxt->failures++;
-			BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh");
-		}
 		if (authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
 			mm_audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES);
diff --git a/crypto/openssh/blacklist.c b/crypto/openssh/blacklist.c
--- a/crypto/openssh/blacklist.c
+++ b/crypto/openssh/blacklist.c
@@ -50,6 +50,7 @@
 #include "blacklist_client.h"
 
 static struct blacklist *blstate = NULL;
+extern struct ssh *the_active_state;
 
 /* import */
 extern ServerOptions options;
@@ -57,7 +58,7 @@
 /* internal definition from bl.h */
 struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list));
 
-/* impedence match vsyslog() to sshd's internal logging levels */
+/* impedance match vsyslog() to sshd's internal logging levels */
 void
 im_log(int priority, const char *message, va_list args)
 {
@@ -82,7 +83,6 @@
 void
 blacklist_init(void)
 {
-
 	if (options.use_blacklist)
 		blstate = bl_create(false, NULL, im_log);
 }
@@ -90,8 +90,17 @@
 void
 blacklist_notify(struct ssh *ssh, int action, const char *msg)
 {
-
-	if (blstate != NULL && ssh_packet_connection_is_on_socket(ssh))
+	if (ssh == NULL)
+		ssh = the_active_state;
+	if (ssh == NULL)
+		return;
+	if (blstate == NULL)
+		return;
+	if (ssh_packet_connection_is_on_socket(ssh))
 		(void)blacklist_r(blstate, action,
-		ssh_packet_get_connection_in(ssh), msg);
+		    ssh_packet_get_connection_in(ssh), msg);
+	if (action == 0) {
+		blacklist_close(blstate);
+		blstate = NULL;
+	}
 }
diff --git a/crypto/openssh/blacklist_client.h b/crypto/openssh/blacklist_client.h
--- a/crypto/openssh/blacklist_client.h
+++ b/crypto/openssh/blacklist_client.h
@@ -57,5 +57,4 @@
 
 #endif
 
-
 #endif /* BLACKLIST_CLIENT_H */
diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c
--- a/crypto/openssh/monitor.c
+++ b/crypto/openssh/monitor.c
@@ -98,6 +98,8 @@
 #include "sk-api.h"
 #include "srclimit.h"
 
+#include "blacklist_client.h"
+
 #ifdef GSSAPI
 static Gssctxt *gsscontext = NULL;
 #endif
@@ -347,16 +349,24 @@
 			}
 		}
 		if (authctxt->failures > options.max_authtries) {
+			BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
+			    "Too many authentication attempts");
 			/* Shouldn't happen */
 			fatal_f("privsep child made too many authentication "
 			    "attempts");
 		}
 	}
 
-	if (!authctxt->valid)
+	if (!authctxt->valid) {
+		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
+		    "Authenticated invalid user");
 		fatal_f("authenticated invalid user");
-	if (strcmp(auth_method, "unknown") == 0)
+	}
+	if (strcmp(auth_method, "unknown") == 0) {
+		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL,
+		    "Authentication method name unknown");
 		fatal_f("authentication method name unknown");
+	}
 
 	debug_f("user %s authenticated by privileged process", authctxt->user);
 	auth_attempted = 0;
diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c
--- a/crypto/openssh/packet.c
+++ b/crypto/openssh/packet.c
@@ -96,7 +96,6 @@
 #include "packet.h"
 #include "ssherr.h"
 #include "sshbuf.h"
-#include "blacklist_client.h"
 
 #ifdef PACKET_DEBUG
 #define DBG(x) x
@@ -2022,7 +2021,6 @@
 	case SSH_ERR_NO_KEX_ALG_MATCH:
 	case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
 		if (ssh->kex && ssh->kex->failed_choice) {
-			BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh");
 			ssh_packet_clear_keys(ssh);
 			errno = oerrno;
 			logdie("Unable to negotiate with %s: %s. "
diff --git a/crypto/openssh/sshd-session.c b/crypto/openssh/sshd-session.c
--- a/crypto/openssh/sshd-session.c
+++ b/crypto/openssh/sshd-session.c
@@ -109,6 +109,7 @@
 #include "sk-api.h"
 #include "srclimit.h"
 #include "dh.h"
+
 #include "blacklist_client.h"
 
 /* Re-exec fds */
@@ -204,6 +205,8 @@
 static void
 grace_alarm_handler(int sig)
 {
+	BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL,
+	    "Grace period expired");
 	/*
 	 * Try to kill any processes that we have spawned, E.g. authorized
 	 * keys command helpers or privsep children.
@@ -1220,6 +1223,8 @@
 	ssh_signal(SIGCHLD, SIG_DFL);
 	ssh_signal(SIGINT, SIG_DFL);
 
+	BLACKLIST_INIT();
+
 	/*
 	 * Register our connection.  This turns encryption off because we do
 	 * not have a key.
@@ -1296,8 +1301,10 @@
 	}
 
 	if ((r = kex_exchange_identification(ssh, -1,
-	    options.version_addendum)) != 0)
+	    options.version_addendum)) != 0) {
+		BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "Banner exchange");
 		sshpkt_fatal(ssh, r, "banner exchange");
+	}
 
 	ssh_packet_set_nonblocking(ssh);
 
@@ -1317,8 +1324,6 @@
 		fatal("sshbuf_new loginmsg failed");
 	auth_debug_reset();
 
-	BLACKLIST_INIT();
-
 	if (privsep_preauth(ssh) == 1)
 		goto authenticated;
 
@@ -1517,7 +1522,10 @@
 		audit_event(the_active_state, SSH_CONNECTION_ABANDON);
 #endif
 	/* Override default fatal exit value when auth was attempted */
-	if (i == 255 && auth_attempted)
+	if (i == 255 && auth_attempted) {
+		BLACKLIST_NOTIFY(the_active_state, BLACKLIST_AUTH_FAIL,
+		    "Fatal exit");
 		_exit(EXIT_AUTH_ATTEMPTED);
+	}
 	_exit(i);
 }