diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index ef9b03f25b5c8..f70fd678f68f0 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -48,6 +48,31 @@ in
     };
   };
 
+  openssh_10_2 = common rec {
+    pname = "openssh";
+    version = "10.2p1";
+
+    src = fetchurl {
+      url = urlFor version;
+      hash = "sha256-zMQsBBmTeVkmP6Hb0W2vwYxWuYTANWLSk3zlamD3mLI=";
+    };
+
+    extraPatches = [
+      # Use ssh-keysign from PATH
+      # ssh-keysign is used for host-based authentication, and is designed to be used
+      # as SUID-root program. OpenSSH defaults to referencing it from libexec, which
+      # cannot be made SUID in Nix.
+      ./ssh-keysign-8.5.patch
+    ];
+    extraMeta = {
+      maintainers = with lib.maintainers; [
+        philiptaron
+        numinit
+      ];
+      teams = [ lib.teams.helsinki-systems ];
+    };
+  };
+
   openssh_hpn = common rec {
     pname = "openssh-with-hpn";
     version = "10.2p1";
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 1d243c105b5e6..a7560fc88d1c3 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -3612,6 +3612,10 @@ with pkgs;
     etcDir = "/etc/ssh";
   };
 
+  openssh_10_2 = opensshPackages.openssh_10_2.override {
+    etcDir = "/etc/ssh";
+  };
+
   opensshTest = openssh.tests.openssh;
 
   opensshWithKerberos = openssh.override {