From 78bb33ab57bd2fdc69a352ac78556239931abb0b Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Tue, 27 Aug 2024 13:52:28 +0200
Subject: [PATCH] Restore GSS connectivity when no hostkeys are present

Related: RHEL-42635
---
 openssh-9.8p1-gsskex-regression.patch | 33 +++++++++++++++++++++++++++
 openssh.spec                          | 10 +++++++-
 2 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 openssh-9.8p1-gsskex-regression.patch

diff --git a/openssh-9.8p1-gsskex-regression.patch b/openssh-9.8p1-gsskex-regression.patch
new file mode 100644
index 0000000..690b77f
--- /dev/null
+++ b/openssh-9.8p1-gsskex-regression.patch
@@ -0,0 +1,33 @@
+diff -up openssh-9.8p1/sshd-session.c.xxx openssh-9.8p1/sshd-session.c
+--- openssh-9.8p1/sshd-session.c.xxx	2024-08-26 13:23:33.071882129 +0200
++++ openssh-9.8p1/sshd-session.c	2024-08-26 13:26:02.990528767 +0200
+@@ -1229,8 +1229,9 @@ main(int ac, char **av)
+ 			break;
+ 		}
+ 	}
+-	if (!have_key)
+-		fatal("internal error: monitor received no hostkeys");
++	/* The GSSAPI key exchange can run without a host key */
++	if (!have_key && !options.gss_keyex)
++		fatal("internal error: monitor received no hostkeys and GSS KEX is not configured");
+ 
+ 	/* Ensure that umask disallows at least group and world write */
+ 	new_umask = umask(0077) | 0022;
+@@ -1565,7 +1565,7 @@ do_ssh2_kex(struct ssh *ssh)
+ 	if (gss && orig)
+ 		xasprintf(&newstr, "%s,%s", gss, orig);
+ 	else if (gss)
+-		newstr = gss;
++		xasprintf(&newstr, "%s,%s", gss, "kex-strict-s-v00@openssh.com");
+ 	else if (orig)
+ 		newstr = orig;
+ 
+@@ -1575,7 +1575,7 @@ do_ssh2_kex(struct ssh *ssh)
+ 	 * host key algorithm we support
+ 	 */
+ 	if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0)
+-		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null";
++		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = xstrdup("null");
+ 
+ 	if (newstr)
+ 		myproposal[PROPOSAL_KEX_ALGS] = newstr;
diff --git a/openssh.spec b/openssh.spec
index b9f35bf..e512f61 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -39,7 +39,7 @@
 %{?static_openssl:%global static_libcrypto 1}
 
 %global openssh_ver 9.8p1
-%global openssh_rel 4
+%global openssh_rel 5
 
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
@@ -202,6 +202,8 @@ Patch1014: openssh-8.7p1-nohostsha1proof.patch
 
 Patch1015: openssh-9.6p1-pam-rhost.patch
 
+Patch1016: openssh-9.8p1-gsskex-regression.patch
+
 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin
 
@@ -379,6 +381,8 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 
 %patch -P 100 -p1 -b .coverity
 
+%patch -P 1016 -p1 -b .gss-regression
+
 autoreconf
 
 %build
@@ -653,6 +657,10 @@ test -f %{sysconfig_anaconda} && \
 %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
 
 %changelog
+* Mon Aug 26 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-5
+- Restore GSS connectivity when no hostkeys are present
+  Related: RHEL-42635
+
 * Fri Aug 16 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-4
 - Address SAST scan issues
   Resolves: RHEL-36766