diff --git a/.gitignore b/.gitignore
index bf63c7d..c5e19c9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-/cryptsetup-2.3.6.tar.xz
+/cryptsetup-2.4.0-rc0.tar.xz
diff --git a/cryptsetup-2.3.6.tar.sign b/cryptsetup-2.3.6.tar.sign
deleted file mode 100644
index 3b218c3..0000000
--- a/cryptsetup-2.3.6.tar.sign
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAmCwxOgACgkQ2bBXe9k+
-mPzlCg//XVdN6WnGhf35DT2f39GpSUimEAmkK/P3xKYGouzlUEac20mzXsNvkv+H
-BpTN507H44ThgQENPAaKTea9FkqpZIcoBZcPnTXJOQ/ZIfR+iglb4zF9lR1PuVx7
-PuyVZ7BgMxM6lFvOwt5/bkktCDn8uX0nYvzqf9DXWVFUm973NayqftxsbgPa+4DT
-vW2E87sJOM2NLw6psPu3o+wYkKm4N1r+M9JCWNqY8bwvlV5YbW4yBifZl4oU+99l
-VXcqgSQunAvEzRPhtwCUxfYNRULx6xknNZVuwl37sSYgDpjjooy+6qjz1PX8g/qa
-4/Wc0u2q/QmIUq13D2dFdQIrfDaZEJe8d0/yyaCnxPlCVFOhmr31U08o2pK1zJSK
-duUqWVIKQNSFafygrPTeMRhZ1L2iwJZgjuCDyhoJSa62kGvYcLxjEoXjRmeiLXAn
-7aVrmbf4tmJUJ8EUden40JM7MxPeKwHfUhE4Aq//qDfPVId7YFdgnBh6PmwUcyRm
-HTyNJP8ULFX+u+v9C5YbXxb+h6xb65wzQDY1T1IPEJicIu/kv/syac/9QUkF9yG+
-Gsxaq9Ath2UYp7NW11/LXW0jmWVcM2eOfZi6xg8+vT6HWxG58Qzh//gPoLBpzBOj
-E94vQim+q+ky0ePAqi2uEfZUiiID2ns4JYeXoYkxx9aGl/eRrp8=
-=AlrZ
------END PGP SIGNATURE-----
diff --git a/cryptsetup-2.4.0-Fix-ssh-plugin-test.patch b/cryptsetup-2.4.0-Fix-ssh-plugin-test.patch
new file mode 100644
index 0000000..42173d4
--- /dev/null
+++ b/cryptsetup-2.4.0-Fix-ssh-plugin-test.patch
@@ -0,0 +1,24 @@
+From 0eb84931560a833d06fd99bfcbaeaec7ad3b6d13 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Fri, 2 Jul 2021 22:56:45 +0200
+Subject: [PATCH] Fix ssh-plugin test.
+
+---
+ tests/ssh-plugin-test | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/ssh-plugin-test b/tests/ssh-plugin-test
+index 70f04be1..e4a3c3b7 100755
+--- a/tests/ssh-plugin-test
++++ b/tests/ssh-plugin-test
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ 
+-[ -z "$CRUPTSETUP_PATH" ] && {
++[ -z "$CRYPTSETUP_PATH" ] && {
+ 	export LD_PRELOAD=./fake_token_path.so
+ 	CRYPTSETUP_PATH=".."
+ }
+-- 
+2.27.0
+
diff --git a/cryptsetup-2.4.0-rc0.tar.sign b/cryptsetup-2.4.0-rc0.tar.sign
new file mode 100644
index 0000000..1a4971c
--- /dev/null
+++ b/cryptsetup-2.4.0-rc0.tar.sign
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAmDe/aoACgkQ2bBXe9k+
+mPwLDg/+JV8o1uQf6uWbwtW8u7UiiIf6v/q+2T/CVgxyqZsc48yWb/Ug89AMDXVL
+EKawvzjZXlMZyEYLET52wP9GWDpF3S08feaqZ51ECskwhe4CRSNPQ8kfAP6i7YPm
+f/hJjU5b7ZU0syDaiqN0lXDRwJP16zSA7unp8XOMHteDsgxHVzY+b/+o9tw3bkKM
+a4hbUjxAPNIIrypU9mTuEEu+53TB7bAROXDJytwAr7GZDb1nZ64z3rD5Mzoh49S8
+4TQlm92mA72hiVho+TJwxlLdQ3Ckq4IBTUvoMfzWuWAL5VX/gCtCrc3kKh/ZUW1B
+oTSDwmKKUl6AAnkap25oVqERZaRc281cCsUl4uE+UbO1BhzwPW3oJlmCiRIm8q/I
+/0TELqPyhyxMOka5hbSxo/LQMaazb+dTmiAitBc4FbkW3dUaxLxewEZ3aSwNtcvR
+gW1rxhkWy7nCT3wM9fK2ftkX5+Tlq0ii0W9M7OcwG0bEx9zpyc9RngIwcn1R7+KZ
+sPNoLEOw6vKnTWhsWqrEB7le8vOHII0oFqhtmc6xIUB2d1BHSPuwKieWGLhLvs6A
+zNwvPl3pSiY+2vRDN7GPylfaKeQMGDRdpGMyHGpQOWm7qHNdYLDEbU023aHK89cK
+5R9Sz6qzzR/hzaSt/HN5cMZBVNCKhjqTVdmeYSp7bHWWUXl7XyQ=
+=OATs
+-----END PGP SIGNATURE-----
diff --git a/cryptsetup-2.4.0-tests-Do-not-guess-default-pbkdf-anymore.patch b/cryptsetup-2.4.0-tests-Do-not-guess-default-pbkdf-anymore.patch
new file mode 100644
index 0000000..549dea8
--- /dev/null
+++ b/cryptsetup-2.4.0-tests-Do-not-guess-default-pbkdf-anymore.patch
@@ -0,0 +1,254 @@
+From 9736f533bb90557e4522451b95e357920786f869 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Fri, 2 Jul 2021 21:55:40 +0200
+Subject: [PATCH] tests: Do not guess default pbkdf anymore.
+
+Instead of guessing get pbkdf defaults via libcryptsetup
+API.
+---
+ tests/api-test-2.c | 109 +++++++++++++++++++++++++++------------------
+ 1 file changed, 66 insertions(+), 43 deletions(-)
+
+diff --git a/tests/api-test-2.c b/tests/api-test-2.c
+index fe7363e1..c769e2ed 100644
+--- a/tests/api-test-2.c
++++ b/tests/api-test-2.c
+@@ -119,16 +119,6 @@ typedef int32_t key_serial_t;
+ #define PASS7 "bbb"
+ #define PASS8 "iii"
+ 
+-/* Allow to run without config.h */
+-#ifndef DEFAULT_LUKS1_HASH
+-  #define DEFAULT_LUKS1_HASH "sha256"
+-  #define DEFAULT_LUKS1_ITER_TIME 2000
+-  #define DEFAULT_LUKS2_ITER_TIME 2000
+-  #define DEFAULT_LUKS2_MEMORY_KB 1048576
+-  #define DEFAULT_LUKS2_PARALLEL_THREADS 4
+-  #define DEFAULT_LUKS2_PBKDF "argon2i"
+-#endif
+-
+ static int _fips_mode = 0;
+ 
+ static char *DEVICE_1 = NULL;
+@@ -145,6 +135,14 @@ unsigned int test_progress_steps;
+ 
+ struct crypt_device *cd = NULL, *cd2 = NULL;
+ 
++static const char *default_luks1_hash = NULL;
++static uint32_t default_luks1_iter_time = 0;
++
++static const char *default_luks2_pbkdf = NULL;
++static uint32_t default_luks2_iter_time = 0;
++static uint32_t default_luks2_memory_kb = 0;
++static uint32_t default_luks2_parallel_threads = 0;
++
+ // Helpers
+ 
+ static unsigned cpus_online(void)
+@@ -167,14 +165,14 @@ static uint32_t adjusted_pbkdf_memory(void)
+ 	uint64_t memory_kb;
+ 
+ 	if (pagesize <= 0 || pages <= 0)
+-		return DEFAULT_LUKS2_MEMORY_KB;
++		return default_luks2_memory_kb;
+ 
+ 	memory_kb = pagesize / 1024 * pages / 2;
+ 
+-	if (memory_kb < DEFAULT_LUKS2_MEMORY_KB)
++	if (memory_kb < default_luks2_memory_kb)
+ 		return (uint32_t)memory_kb;
+ 
+-	return DEFAULT_LUKS2_MEMORY_KB;
++	return default_luks2_memory_kb;
+ }
+ 
+ static unsigned _min(unsigned a, unsigned b)
+@@ -225,6 +223,28 @@ static int get_luks2_offsets(int metadata_device,
+ 	return 0;
+ }
+ 
++static bool get_luks_pbkdf_defaults(void)
++{
++	const struct crypt_pbkdf_type *pbkdf_defaults = crypt_get_pbkdf_default(CRYPT_LUKS1);
++
++	if (!pbkdf_defaults)
++		return false;
++
++	default_luks1_hash = pbkdf_defaults->hash;
++	default_luks1_iter_time = pbkdf_defaults->time_ms;
++
++	pbkdf_defaults = crypt_get_pbkdf_default(CRYPT_LUKS2);
++	if (!pbkdf_defaults)
++		return false;
++
++	default_luks2_pbkdf = pbkdf_defaults->type;
++	default_luks2_iter_time = pbkdf_defaults->time_ms;
++	default_luks2_memory_kb = pbkdf_defaults->max_memory_kb;
++	default_luks2_parallel_threads = pbkdf_defaults->parallel_threads;
++
++	return true;
++}
++
+ static void _remove_keyfiles(void)
+ {
+ 	remove(KEYFILE1);
+@@ -413,6 +433,9 @@ static int _setup(void)
+ 	/* Use default log callback */
+ 	crypt_set_log_callback(NULL, &global_log_callback, NULL);
+ 
++	if (!get_luks_pbkdf_defaults())
++		return 1;
++
+ 	return 0;
+ }
+ 
+@@ -2541,17 +2564,17 @@ static void Pbkdf(void)
+ 	const char *cipher = "aes", *mode="xts-plain64";
+ 	struct crypt_pbkdf_type argon2 = {
+ 		.type = CRYPT_KDF_ARGON2I,
+-		.hash = DEFAULT_LUKS1_HASH,
++		.hash = default_luks1_hash,
+ 		.time_ms = 6,
+ 		.max_memory_kb = 1024,
+ 		.parallel_threads = 1
+ 	}, pbkdf2 = {
+ 		.type = CRYPT_KDF_PBKDF2,
+-		.hash = DEFAULT_LUKS1_HASH,
++		.hash = default_luks1_hash,
+ 		.time_ms = 9
+ 	}, bad = {
+ 		.type = "hamster_pbkdf",
+-		.hash = DEFAULT_LUKS1_HASH
++		.hash = default_luks1_hash
+ 	};
+ 	struct crypt_params_plain params = {
+ 		.hash = "sha1",
+@@ -2607,7 +2630,7 @@ static void Pbkdf(void)
+ 	OK_(crypt_set_pbkdf_type(cd, &pbkdf2));
+ 	OK_(crypt_set_pbkdf_type(cd, NULL));
+ 	NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd));
+-	EQ_(pbkdf->time_ms, DEFAULT_LUKS1_ITER_TIME);
++	EQ_(pbkdf->time_ms, default_luks1_iter_time);
+ 	CRYPT_FREE(cd);
+ 	// test value set in crypt_set_iteration_time() can be obtained via following crypt_get_pbkdf_type()
+ 	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+@@ -2617,7 +2640,7 @@ static void Pbkdf(void)
+ 	EQ_(pbkdf->time_ms, 42);
+ 	// test crypt_get_pbkdf_type() returns expected values for LUKSv1
+ 	OK_(strcmp(pbkdf->type, CRYPT_KDF_PBKDF2));
+-	OK_(strcmp(pbkdf->hash, DEFAULT_LUKS1_HASH));
++	OK_(strcmp(pbkdf->hash, default_luks1_hash));
+ 	EQ_(pbkdf->max_memory_kb, 0);
+ 	EQ_(pbkdf->parallel_threads, 0);
+ 	crypt_set_iteration_time(cd, 43);
+@@ -2648,11 +2671,11 @@ static void Pbkdf(void)
+ 	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ 	OK_(crypt_format(cd, CRYPT_LUKS2, cipher, mode, NULL, NULL, 32, NULL));
+ 	NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd));
+-	OK_(strcmp(pbkdf->type, DEFAULT_LUKS2_PBKDF));
+-	OK_(strcmp(pbkdf->hash, DEFAULT_LUKS1_HASH));
+-	EQ_(pbkdf->time_ms, DEFAULT_LUKS2_ITER_TIME);
++	OK_(strcmp(pbkdf->type, default_luks2_pbkdf));
++	OK_(strcmp(pbkdf->hash, default_luks1_hash));
++	EQ_(pbkdf->time_ms, default_luks2_iter_time);
+ 	EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory());
+-	EQ_(pbkdf->parallel_threads, _min(cpus_online(), DEFAULT_LUKS2_PARALLEL_THREADS));
++	EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads));
+ 	// set and verify argon2 type
+ 	OK_(crypt_set_pbkdf_type(cd, &argon2));
+ 	NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd));
+@@ -2673,11 +2696,11 @@ static void Pbkdf(void)
+ 	crypt_set_iteration_time(cd, 1); // it's supposed to override this call
+ 	OK_(crypt_set_pbkdf_type(cd, NULL));
+ 	NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd));
+-	OK_(strcmp(pbkdf->type, DEFAULT_LUKS2_PBKDF));
+-	OK_(strcmp(pbkdf->hash, DEFAULT_LUKS1_HASH));
+-	EQ_(pbkdf->time_ms, DEFAULT_LUKS2_ITER_TIME);
++	OK_(strcmp(pbkdf->type, default_luks2_pbkdf));
++	OK_(strcmp(pbkdf->hash, default_luks1_hash));
++	EQ_(pbkdf->time_ms, default_luks2_iter_time);
+ 	EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory());
+-	EQ_(pbkdf->parallel_threads, _min(cpus_online(), DEFAULT_LUKS2_PARALLEL_THREADS));
++	EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads));
+ 	// try to pass illegal values
+ 	argon2.parallel_threads = 0;
+ 	FAIL_(crypt_set_pbkdf_type(cd, &argon2), "Parallel threads can't be 0");
+@@ -2695,7 +2718,7 @@ static void Pbkdf(void)
+ 	bad.hash = NULL;
+ 	FAIL_(crypt_set_pbkdf_type(cd, &bad), "Hash member is empty");
+ 	bad.type = NULL;
+-	bad.hash = DEFAULT_LUKS1_HASH;
++	bad.hash = default_luks1_hash;
+ 	FAIL_(crypt_set_pbkdf_type(cd, &bad), "Pbkdf type member is empty");
+ 	bad.hash = "hamster_hash";
+ 	FAIL_(crypt_set_pbkdf_type(cd, &pbkdf2), "Unknown hash member");
+@@ -2704,18 +2727,18 @@ static void Pbkdf(void)
+ 	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+ 	OK_(crypt_load(cd, CRYPT_LUKS, NULL));
+ 	NOTNULL_(pbkdf = crypt_get_pbkdf_type(cd));
+-	OK_(strcmp(pbkdf->type, DEFAULT_LUKS2_PBKDF));
+-	OK_(strcmp(pbkdf->hash, DEFAULT_LUKS1_HASH));
+-	EQ_(pbkdf->time_ms, DEFAULT_LUKS2_ITER_TIME);
++	OK_(strcmp(pbkdf->type, default_luks2_pbkdf));
++	OK_(strcmp(pbkdf->hash, default_luks1_hash));
++	EQ_(pbkdf->time_ms, default_luks2_iter_time);
+ 	EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory());
+-	EQ_(pbkdf->parallel_threads, _min(cpus_online(), DEFAULT_LUKS2_PARALLEL_THREADS));
++	EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads));
+ 	crypt_set_iteration_time(cd, 1);
+ 	OK_(crypt_load(cd, CRYPT_LUKS, NULL));
+-	OK_(strcmp(pbkdf->type, DEFAULT_LUKS2_PBKDF));
+-	OK_(strcmp(pbkdf->hash, DEFAULT_LUKS1_HASH));
++	OK_(strcmp(pbkdf->type, default_luks2_pbkdf));
++	OK_(strcmp(pbkdf->hash, default_luks1_hash));
+ 	EQ_(pbkdf->time_ms, 1);
+ 	EQ_(pbkdf->max_memory_kb, adjusted_pbkdf_memory());
+-	EQ_(pbkdf->parallel_threads, _min(cpus_online(), DEFAULT_LUKS2_PARALLEL_THREADS));
++	EQ_(pbkdf->parallel_threads, _min(cpus_online(), default_luks2_parallel_threads));
+ 	CRYPT_FREE(cd);
+ 
+ 	// test crypt_set_pbkdf_type() overwrites invalid value set by crypt_set_iteration_time()
+@@ -2766,17 +2789,17 @@ static void Pbkdf(void)
+ 
+ 	NOTNULL_(pbkdf = crypt_get_pbkdf_default(CRYPT_LUKS1));
+ 	OK_(strcmp(pbkdf->type, CRYPT_KDF_PBKDF2));
+-	EQ_(pbkdf->time_ms, DEFAULT_LUKS1_ITER_TIME);
+-	OK_(strcmp(pbkdf->hash, DEFAULT_LUKS1_HASH));
++	EQ_(pbkdf->time_ms, default_luks1_iter_time);
++	OK_(strcmp(pbkdf->hash, default_luks1_hash));
+ 	EQ_(pbkdf->max_memory_kb, 0);
+ 	EQ_(pbkdf->parallel_threads, 0);
+ 
+ 	NOTNULL_(pbkdf = crypt_get_pbkdf_default(CRYPT_LUKS2));
+-	OK_(strcmp(pbkdf->type, DEFAULT_LUKS2_PBKDF));
+-	EQ_(pbkdf->time_ms, DEFAULT_LUKS2_ITER_TIME);
+-	OK_(strcmp(pbkdf->hash, DEFAULT_LUKS1_HASH));
+-	EQ_(pbkdf->max_memory_kb, DEFAULT_LUKS2_MEMORY_KB);
+-	EQ_(pbkdf->parallel_threads, DEFAULT_LUKS2_PARALLEL_THREADS);
++	OK_(strcmp(pbkdf->type, default_luks2_pbkdf));
++	EQ_(pbkdf->time_ms, default_luks2_iter_time);
++	OK_(strcmp(pbkdf->hash, default_luks1_hash));
++	EQ_(pbkdf->max_memory_kb, default_luks2_memory_kb);
++	EQ_(pbkdf->parallel_threads, default_luks2_parallel_threads);
+ 
+ 	NULL_(pbkdf = crypt_get_pbkdf_default(CRYPT_PLAIN));
+ 
+@@ -3149,13 +3172,13 @@ static void Luks2Requirements(void)
+ 	const char *token, *json = "{\"type\":\"test_token\",\"keyslots\":[]}";
+ 	struct crypt_pbkdf_type argon2 = {
+ 		.type = CRYPT_KDF_ARGON2I,
+-		.hash = DEFAULT_LUKS1_HASH,
++		.hash = default_luks1_hash,
+ 		.time_ms = 6,
+ 		.max_memory_kb = 1024,
+ 		.parallel_threads = 1
+ 	}, pbkdf2 = {
+ 		.type = CRYPT_KDF_PBKDF2,
+-		.hash = DEFAULT_LUKS1_HASH,
++		.hash = default_luks1_hash,
+ 		.time_ms = 9
+ 	};
+ 	struct crypt_token_params_luks2_keyring params_get, params = {
+-- 
+2.27.0
+
diff --git a/cryptsetup.spec b/cryptsetup.spec
index d604d98..0c62be9 100644
--- a/cryptsetup.spec
+++ b/cryptsetup.spec
@@ -1,20 +1,20 @@
 Summary: Utility for setting up encrypted disks
 Name: cryptsetup
-Version: 2.3.6
+Version: 2.4.0~rc0
 Release: 1%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://gitlab.com/cryptsetup/cryptsetup
 BuildRequires: openssl-devel, popt-devel, device-mapper-devel
 BuildRequires: libuuid-devel, gcc, json-c-devel, libargon2-devel
 BuildRequires: libpwquality-devel, libblkid-devel
-BuildRequires: make
-Provides: cryptsetup-luks = %{version}-%{release}
-Obsoletes: cryptsetup-luks < 1.4.0
+BuildRequires: make libssh-devel
 Requires: cryptsetup-libs = %{version}-%{release}
 Requires: libpwquality >= 1.2.0
 
-%global upstream_version %{version}
-Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-%{upstream_version}.tar.xz
+%global upstream_version %{version_no_tilde}
+Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-%{upstream_version}.tar.xz
+Patch0: %{name}-2.4.0-tests-Do-not-guess-default-pbkdf-anymore.patch
+Patch1: %{name}-2.4.0-Fix-ssh-plugin-test.patch
 # Following patch has to applied last
 Patch9999: %{name}-add-system-library-paths.patch
 
@@ -26,8 +26,6 @@ disk encryption using dm-crypt kernel module.
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Requires: pkgconfig
 Summary: Headers and libraries for using encrypted file systems
-Provides: cryptsetup-luks-devel = %{version}-%{release}
-Obsoletes: cryptsetup-luks-devel < 1.4.0
 
 %description devel
 The cryptsetup-devel package contains libraries and header files
@@ -35,12 +33,17 @@ used for writing code that makes use of disk encryption.
 
 %package libs
 Summary: Cryptsetup shared library
-Provides: cryptsetup-luks-libs = %{version}-%{release}
-Obsoletes: cryptsetup-luks-libs < 1.4.0
 
 %description libs
 This package contains the cryptsetup shared library, libcryptsetup.
 
+%package ssh-token
+Summary: Cryptsetup LUKS2 SSH token
+Requires: cryptsetup-libs = %{version}-%{release}
+
+%description ssh-token
+This package contains the LUKS2 SSH token.
+
 %package -n veritysetup
 Summary: A utility for setting up dm-verity volumes
 Requires: cryptsetup-libs = %{version}-%{release}
@@ -67,7 +70,6 @@ can be used for offline reencryption of disk in situ.
 
 %prep
 %autosetup -n cryptsetup-%{upstream_version} -p 1
-chmod -x misc/dracut_90reencrypt/*
 
 %build
 %configure --enable-fips --enable-pwquality --enable-libargon2
@@ -75,7 +77,9 @@ chmod -x misc/dracut_90reencrypt/*
 
 %install
 %make_install
+mkdir -p -m 0755 $RPM_BUILD_ROOT%{_libdir}/%{name}/
 rm -rf %{buildroot}%{_libdir}/*.la
+rm -rf %{buildroot}%{_libdir}/%{name}/*.la
 
 %find_lang cryptsetup
 
@@ -99,7 +103,6 @@ rm -rf %{buildroot}%{_libdir}/*.la
 
 %files reencrypt
 %license COPYING
-%doc misc/dracut_90reencrypt
 %{_mandir}/man8/cryptsetup-reencrypt.8.gz
 %{_sbindir}/cryptsetup-reencrypt
 
@@ -112,10 +115,22 @@ rm -rf %{buildroot}%{_libdir}/*.la
 %files libs -f cryptsetup.lang
 %license COPYING COPYING.LGPL
 %{_libdir}/libcryptsetup.so.*
+%dir %{_libdir}/%{name}/
 %{_tmpfilesdir}/cryptsetup.conf
 %ghost %attr(700, -, -) %dir /run/cryptsetup
 
+%files ssh-token
+%license COPYING COPYING.LGPL
+%{_libdir}/%{name}/libcryptsetup-token-ssh.so
+%{_mandir}/man8/cryptsetup-ssh.8.gz
+%{_sbindir}/cryptsetup-ssh
+
 %changelog
+* Fri Jul 02 2021 Ondrej Kozina <okozina@redhat.com> - 2.4.0~rc0-1
+- Update to cryptsetup 2.4.0-rc0.
+- add experimental cryptsetup-ssh token subpackage
+- spec file cleanup
+
 * Fri May 28 2021 Milan Broz <gmazyland@gmail.com> - 2.3.6-1
 - Update to cryptsetup 2.3.6.
 
diff --git a/sources b/sources
index e035a34..3422c2c 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (cryptsetup-2.3.6.tar.xz) = 5b25cc806140d24181a0e4f0e7b0bd3caa8263aa502e8633b41c980f06ecba2e6acbf9c2d9cc4a785d38ce90d86dd8d22c52b28b9ca4a15824c2e8bdb3656665
+SHA512 (cryptsetup-2.4.0-rc0.tar.xz) = ed80cc7a1763cf0e788bd72eee979640d6133b98a7b294a3fa09c608273eef172c2d56d80802433143d01063a0c142e68ea06465392b273fc2615b8f90273b25
diff --git a/tests/tests.yml b/tests/tests.yml
index 2eb23b5..e78cd2b 100644
--- a/tests/tests.yml
+++ b/tests/tests.yml
@@ -12,10 +12,12 @@
         run: make -f Makefile.localtest tests
     environment:
         CRYPTSETUP_PATH: /sbin
+        RUN_SSH_PLUGIN_TEST: 1
     required_packages:
     - cryptsetup
     - cryptsetup-devel
     - cryptsetup-reencrypt
+    - cryptsetup-ssh-token
     - integritysetup
     - veritysetup
     - gcc
@@ -27,3 +29,7 @@
     - jq
     - vim-common
     - sharutils
+    - openssh
+    - nmap-ncat
+    - sshpass
+    - shadow-utils