Then just exchange the ssh-server with one in the ports, compile it with wolfssl, openssl-(devel?), libressl or mbed TLS, whatever you want. The stuff in base is meant to be compatible and as slim as possible (for example the kerberos-server in base).
Or define the runtime options from the base-ssh-server in rc.conf (that's what i normally do):
sshd_enable="YES"
sshd_dsa_enable="NO"
sshd_ecdsa_enable="NO"
sshd_ed25519_enable="YES"
sshd_rsa_enable="NO"
If you want RSA=YES then you probably/maybe want to delete all moduli less then 4096.
Or define the runtime options from the base-ssh-server in rc.conf (that's what i normally do):
sshd_enable="YES"
sshd_dsa_enable="NO"
sshd_ecdsa_enable="NO"
sshd_ed25519_enable="YES"
sshd_rsa_enable="NO"
If you want RSA=YES then you probably/maybe want to delete all moduli less then 4096.
https://github.com/bsdlabs/ssh-hardening