diff --git a/.cockpit.metadata b/.cockpit.metadata
index ef64377..4047f43 100644
--- a/.cockpit.metadata
+++ b/.cockpit.metadata
@@ -1,2 +1,2 @@
-850f91c2ee0d90d94c0c013c75c24f49eed5782d SOURCES/cockpit-276.1.tar.xz
+256de4a4ebadbf0c4d1b5b70727e5d9f00674bbe SOURCES/cockpit-286.1.tar.xz
 a37e1d6ad4b1b25729682c54ab7e4dcdcfd894a7 SOURCES/cockpit.css.gz
diff --git a/.gitignore b/.gitignore
index dcf3a41..d5e3cd2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/cockpit-276.1.tar.xz
+SOURCES/cockpit-286.1.tar.xz
 SOURCES/cockpit.css.gz
diff --git a/SPECS/cockpit.spec b/SPECS/cockpit.spec
index 922c8c1..7432221 100644
--- a/SPECS/cockpit.spec
+++ b/SPECS/cockpit.spec
@@ -46,10 +46,10 @@
 Name:           cockpit
 Summary:        Web Console for Linux servers
 
-License:        LGPLv2+
+License:        LGPL-2.1-or-later
 URL:            https://cockpit-project.org/
 
-Version:        276.1
+Version:        286.1
 Release:        1%{?dist}
 Source0:        https://github.com/cockpit-project/cockpit/releases/download/%{version}/cockpit-%{version}.tar.xz
 Source1:        cockpit.css.gz
@@ -74,6 +74,13 @@ Source1:        cockpit.css.gz
 %define build_optional 1
 %endif
 
+# Allow root login in Cockpit on RHEL 8 and lower as it also allows password login over SSH.
+%if 0%{?rhel} && 0%{?rhel} <= 8
+%define disallow_root 0
+%else
+%define disallow_root 1
+%endif
+
 # Ship custom SELinux policy (but not for cockpit-appstream)
 %if "%{name}" == "cockpit"
 %define selinuxtype targeted
@@ -147,6 +154,8 @@ Suggests: cockpit-pcp
 
 %if 0%{?rhel} == 0
 Recommends: (cockpit-networkmanager if NetworkManager)
+# c-ostree is not in RHEL 8/9
+Recommends: (cockpit-ostree if rpm-ostree)
 Suggests: cockpit-selinux
 %endif
 %if 0%{?rhel} && 0%{?centos} == 0
@@ -252,13 +261,13 @@ done
 for data in doc man pixmaps polkit-1; do
     rm -r %{buildroot}/%{_datadir}/$data
 done
-for lib in systemd tmpfiles.d; do
-    rm -r %{buildroot}/%{_prefix}/%{__lib}/$lib
-done
+rm -r %{buildroot}/%{_prefix}/%{__lib}/tmpfiles.d
+find %{buildroot}/%{_unitdir}/ -type f ! -name 'cockpit-session*' -delete
 for libexec in cockpit-askpass cockpit-session cockpit-ws cockpit-tls cockpit-wsinstance-factory cockpit-client cockpit-client.ui cockpit-desktop cockpit-certificate-helper cockpit-certificate-ensure; do
     rm %{buildroot}/%{_libexecdir}/$libexec
 done
-rm -r %{buildroot}/%{_libdir}/security %{buildroot}/%{_sysconfdir}/pam.d %{buildroot}/%{_sysconfdir}/motd.d %{buildroot}/%{_sysconfdir}/issue.d
+rm -r %{buildroot}/%{_sysconfdir}/pam.d %{buildroot}/%{_sysconfdir}/motd.d %{buildroot}/%{_sysconfdir}/issue.d
+rm -f %{buildroot}/%{_libdir}/security/pam_*
 rm %{buildroot}/usr/bin/cockpit-bridge
 rm -f %{buildroot}%{_libexecdir}/cockpit-ssh
 rm -f %{buildroot}%{_datadir}/metainfo/cockpit.appdata.xml
@@ -270,7 +279,9 @@ for pkg in apps packagekit pcp playground storaged; do
     rm -rf %{buildroot}/%{_datadir}/cockpit/$pkg
 done
 # files from -tests
-rm -r %{buildroot}/%{_prefix}/%{__lib}/cockpit-test-assets
+rm -f %{buildroot}/%{pamdir}/mock-pam-conv-mod.so
+rm -f %{buildroot}/%{_unitdir}/cockpit-session.socket
+rm -f %{buildroot}/%{_unitdir}/cockpit-session@.service
 # files from -pcp
 rm -r %{buildroot}/%{_libexecdir}/cockpit-pcp %{buildroot}/%{_localstatedir}/lib/pcp/
 # files from -storaged
@@ -295,6 +306,7 @@ cat kdump.list sosreport.list networkmanager.list selinux.list >> system.list
 rm -f %{buildroot}%{_datadir}/metainfo/org.cockpit-project.cockpit-sosreport.metainfo.xml
 rm -f %{buildroot}%{_datadir}/metainfo/org.cockpit-project.cockpit-kdump.metainfo.xml
 rm -f %{buildroot}%{_datadir}/metainfo/org.cockpit-project.cockpit-selinux.metainfo.xml
+rm -f %{buildroot}%{_datadir}/metainfo/org.cockpit-project.cockpit-networkmanager.metainfo.xml
 rm -f %{buildroot}%{_datadir}/pixmaps/cockpit-sosreport.png
 %endif
 
@@ -323,8 +335,6 @@ troubleshooting, interactive command-line sessions, and more.
 Summary: Cockpit bridge server-side component
 Requires: glib-networking
 Provides: cockpit-ssh = %{version}-%{release}
-# PR #10430 dropped workaround for ws' inability to understand x-host-key challenge
-Conflicts: cockpit-ws < 181.x
 # 233 dropped jquery.js, pages started to bundle it (commit 049e8b8dce)
 Conflicts: cockpit-dashboard < 233
 Conflicts: cockpit-networkmanager < 233
@@ -430,6 +440,7 @@ authentication via sssd/FreeIPA.
 # created in %post, so that users can rm the files
 %ghost %{_sysconfdir}/issue.d/cockpit.issue
 %ghost %{_sysconfdir}/motd.d/cockpit
+%ghost %attr(0644, root, root) %{_sysconfdir}/cockpit/disallowed-users
 %dir %{_datadir}/cockpit/motd
 %{_datadir}/cockpit/motd/update-motd
 %{_datadir}/cockpit/motd/inactive.motd
@@ -478,10 +489,16 @@ if [ -x %{_sbindir}/selinuxenabled ]; then
 fi
 
 # set up dynamic motd/issue symlinks on first-time install; don't bring them back on upgrades if admin removed them
+# disable root login on first-time install; so existing installations aren't changed
 if [ "$1" = 1 ]; then
     mkdir -p /etc/motd.d /etc/issue.d
     ln -s ../../run/cockpit/motd /etc/motd.d/cockpit
     ln -s ../../run/cockpit/motd /etc/issue.d/cockpit.issue
+    printf "# List of users which are not allowed to login to Cockpit\n" > /etc/cockpit/disallowed-users
+%if 0%{?disallow_root}
+    printf "root\n" >> /etc/cockpit/disallowed-users
+%endif
+    chmod 644 /etc/cockpit/disallowed-users
 fi
 
 %tmpfiles_create cockpit-tempfiles.conf
@@ -553,6 +570,7 @@ BuildArch: noarch
 The Cockpit component for managing networking.  This package uses NetworkManager.
 
 %files networkmanager -f networkmanager.list
+%{_datadir}/metainfo/org.cockpit-project.cockpit-networkmanager.metainfo.xml
 
 %endif
 
@@ -614,8 +632,8 @@ The Cockpit component for managing storage.  This package uses udisks.
 
 %package -n cockpit-tests
 Summary: Tests for Cockpit
-Requires: cockpit-bridge >= 138
-Requires: cockpit-system >= 138
+Requires: cockpit-bridge >= %{required_base}
+Requires: cockpit-system >= %{required_base}
 Requires: openssh-clients
 Provides: cockpit-test-assets = %{version}-%{release}
 
@@ -624,7 +642,9 @@ This package contains tests and files used while testing Cockpit.
 These files are not required for running Cockpit.
 
 %files -n cockpit-tests -f tests.list
-%{_prefix}/%{__lib}/cockpit-test-assets
+%{pamdir}/mock-pam-conv-mod.so
+%{_unitdir}/cockpit-session.socket
+%{_unitdir}/cockpit-session@.service
 
 %package -n cockpit-pcp
 Summary: Cockpit PCP integration
@@ -661,11 +681,33 @@ via PackageKit.
 
 # The changelog is automatically generated and merged
 %changelog
-* Thu Sep 15 2022 Martin Pitt <mpitt@redhat.com> - 276.1-1
-- login: Use valid selectors when testing for :is() / :where() support (rhbz#2126044)
+* Thu Feb 23 2023 Martin Pitt <mpitt@redhat.com> - 286.1-1
+- Users: Fix broken alignment of the first column in groups table
+- Translation updates (rhbz#2139715)
 
-* Mon Sep 12 2022 Martin Pitt <mpitt@redhat.com> - 276-1
-- Translation updates (rhbz#2062692)
+* Wed Feb 22 2023 Martin Pitt <mpitt@redhat.com> - 286-1
+- Metrics: control visibility of the resource usage graphs
+
+* Wed Feb 08 2023 Martin Pitt <mpitt@redhat.com> - 285-1
+- Cryptographic subpolicies support
+- users: Group creation and filtering support
+
+* Wed Jan 25 2023 Martin Pitt <mpitt@redhat.com> - 284-1
+- Services: Show logs for user units
+- Storage: Set up a system to use NBDE
+
+* Wed Jan 11 2023 Katerina Koukiou <kkoukiou@redhat.com> - 283-1
+- Services: Create timer to run every minute
+
+* Wed Dec 14 2022 Katerina Koukiou <kkoukiou@redhat.com> - 282-1
+- Add right-to-left language support
+- Accounts: Redesign and include groups
+- Dark theme switcher
+- tools: Disallow root login by default
+
+* Tue Nov 15 2022 Matej Marusak <mmarusak@redhat.com> - 279-1
+- Dark theme support
+- Metrics: Display individual disk read/write usage
 
 * Thu Aug 25 2022 Matej Marusak <mmarusak@redhat.com> - 275-1
 - shell: Support for alternatives to sudo (rhbz#2091034)