diff --git a/openssh-8.0p1-gssapi-keyex.patch b/openssh-8.0p1-gssapi-keyex.patch
index 1e5b888..82b2bfe 100644
--- a/openssh-8.0p1-gssapi-keyex.patch
+++ b/openssh-8.0p1-gssapi-keyex.patch
@@ -1124,6 +1124,50 @@ diff --color -ruNp a/gss-serv-krb5.c b/gss-serv-krb5.c
 diff --color -ruNp a/kex.c b/kex.c
 --- a/kex.c	2024-07-01 06:36:28.000000000 +0200
 +++ b/kex.c	2024-08-28 12:35:41.249432103 +0200
+@@ -303,17 +303,37 @@ static int
+ kex_compose_ext_info_server(struct ssh *ssh, struct sshbuf *m)
+ {
+ 	int r;
++	int have_key = 0;
++	int ext_count = 2;
++
++#ifdef GSSAPI
++	/*
++	 * Currently GSS KEX don't provide host keys as optional message, so
++	 * no reasons to announce the publickey-hostbound extension
++	 */
++	if (ssh->kex->gss == NULL)
++	    have_key = 1;
++#endif
++	ext_count += have_key;
++
+ 
+ 	if (ssh->kex->server_sig_algs == NULL &&
+ 	    (ssh->kex->server_sig_algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
+ 		return SSH_ERR_ALLOC_FAIL;
+-	if ((r = sshbuf_put_u32(m, 3)) != 0 ||
++	if ((r = sshbuf_put_u32(m, ext_count)) != 0 ||
+ 	    (r = sshbuf_put_cstring(m, "server-sig-algs")) != 0 ||
+-	    (r = sshbuf_put_cstring(m, ssh->kex->server_sig_algs)) != 0 ||
+-	    (r = sshbuf_put_cstring(m,
+-	    "publickey-hostbound@openssh.com")) != 0 ||
+-	    (r = sshbuf_put_cstring(m, "0")) != 0 ||
+-	    (r = sshbuf_put_cstring(m, "ping@openssh.com")) != 0 ||
++	    (r = sshbuf_put_cstring(m, ssh->kex->server_sig_algs)) != 0) {
++		error_fr(r, "compose");
++		return r;
++	}
++	if (have_key) {
++	    if ((r = sshbuf_put_cstring(m, "publickey-hostbound@openssh.com")) != 0 ||
++	        (r = sshbuf_put_cstring(m, "0")) != 0) {
++		    error_fr(r, "compose");
++		    return r;
++		}
++	}
++	if ((r = sshbuf_put_cstring(m, "ping@openssh.com")) != 0 ||
+ 	    (r = sshbuf_put_cstring(m, "0")) != 0) {
+ 		error_fr(r, "compose");
+ 		return r;
 @@ -737,6 +737,9 @@ kex_free(struct kex *kex)
  	sshbuf_free(kex->server_version);
  	sshbuf_free(kex->client_pub);
diff --git a/openssh.spec b/openssh.spec
index 6240116..dd3b823 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -658,6 +658,8 @@ test -f %{sysconfig_anaconda} && \
   Related: RHEL-42635
 - Add missing gsskeyex authentication method
   Related: RHEL-42635
+- "publickey-hostbound@openssh.com" extension makes no sense with GSS
+  Related: RHEL-42635
 
 * Fri Aug 16 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-4
 - Address SAST scan issues