Unpatch Red Hat help message

openssh-10.0-mlkem-nist.patch

@@ -676,7 +676,7 @@ index 670049dcd..463d18771 100644
 +	/* generate ECDH key pair, store server pubkey after ciphertext */
 +	server_key = nist_pkey_keygen(server_key_len);
 +
-+	if ((r = get_uncompressed_ec_pubkey(server_key, server_pub, server_key_len) != 0) ||
++	if ((server_key == NULL) || (r = get_uncompressed_ec_pubkey(server_key, server_pub, server_key_len) != 0) ||
 +	    (r = sshbuf_put(buf, secret, sizeof(secret))) != 0 ||
 +	    (r = sshbuf_put(server_blob, enc_out, enc_out_len) != 0)||
 +	    (r = sshbuf_put(server_blob, server_pub, server_key_len)) != 0)

openssh-6.7p1-coverity.patch

@@ -159,6 +159,46 @@ diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openb
 diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
 --- openssh-8.5p1/readconf.c.coverity	2021-03-24 12:03:33.778968131 +0100
 +++ openssh-8.5p1/readconf.c	2021-03-24 12:03:33.785968180 +0100
+@@ -749,12 +749,12 @@ match_cfg_line(Options *options, const c
+ 	debug2("checking match for '%s' host %s originally %s",
+ 	    full_line, host, original_host);
+ 	while ((attrib = argv_next(acp, avp)) != NULL) {
+-		attrib = oattrib = xstrdup(attrib);
+ 		/* Terminate on comment */
+ 		if (*attrib == '#') {
+ 			argv_consume(acp);
+ 			break;
+ 		}
++		attrib = oattrib = xstrdup(attrib);
+ 		arg = criteria = NULL;
+ 		this_result = 1;
+ 		if ((negate = (attrib[0] == '!')))
+@@ -793,7 +793,7 @@ match_cfg_line(Options *options, const c
+ 			debug3("%.200s line %d: %smatched '%s'",
+ 			    filename, linenum,
+ 			    this_result ? "" : "not ", oattrib);
+-			continue;
++			goto next;
+ 		}
+ 
+ 		/* Keep this list in sync with below */
+@@ -863,7 +863,7 @@ match_cfg_line(Options *options, const c
+ 				debug3("%.200s line %d: skipped exec "
+ 				    "\"%.100s\"", filename, linenum, cmd);
+ 				free(cmd);
+-				continue;
++				goto next;
+ 			}
+ 			r = execute_in_shell(cmd);
+ 			if (r == -1) {
+@@ -887,6 +887,7 @@ match_cfg_line(Options *options, const c
+ 		    criteria == NULL ? "" : " \"",
+ 		    criteria == NULL ? "" : criteria,
+ 		    criteria == NULL ? "" : "\"");
++next:
+ 		free(criteria);
+ 		free(oattrib);
+ 		oattrib = attrib = NULL;
 @@ -1847,6 +1847,7 @@ parse_pubkey_algos:
  			} else if (r != 0) {
  				error("%.200s line %d: glob failed for %s.",
@@ -170,6 +210,108 @@ diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
 diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
 --- openssh-7.4p1/servconf.c.coverity	2016-12-23 16:40:26.896788690 +0100
 +++ openssh-7.4p1/servconf.c	2016-12-23 16:40:26.901788691 +0100
+@@ -1120,12 +1120,12 @@ match_cfg_line(const char *full_line, in
+ 	}
+ 
+ 	while ((oattrib = argv_next(acp, avp)) != NULL) {
+-		attrib = xstrdup(oattrib);
+ 		/* Terminate on comment */
+-		if (*attrib == '#') {
++		if (*oattrib == '#') {
+ 			argv_consume(acp); /* mark all arguments consumed */
+ 			break;
+ 		}
++		attrib = xstrdup(oattrib);
+ 		arg = NULL;
+ 		attributes++;
+ 		/* Criterion "all" has no argument and must appear alone */
+@@ -1147,13 +1147,13 @@ match_cfg_line(const char *full_line, in
+ 		if (strcasecmp(attrib, "invalid-user") == 0) {
+ 			if (ci == NULL) {
+ 				result = 0;
+-				continue;
++				goto next;
+ 			}
+ 			if (ci->user_invalid == 0)
+ 				result = 0;
+ 			else
+ 				debug("matched invalid-user at line %d", line);
+-			continue;
++			goto next;
+ 		}
+ 
+ 		/* Keep this list in sync with below */
+@@ -1179,7 +1179,7 @@ match_cfg_line(const char *full_line, in
+ 		if (strcasecmp(attrib, "user") == 0) {
+ 			if (ci == NULL || (ci->test && ci->user == NULL)) {
+ 				result = 0;
+-				continue;
++				goto next;
+ 			}
+ 			if (ci->user == NULL)
+ 				match_test_missing_fatal("User", "user");
+@@ -1191,7 +1191,7 @@ match_cfg_line(const char *full_line, in
+ 		} else if (strcasecmp(attrib, "group") == 0) {
+ 			if (ci == NULL || (ci->test && ci->user == NULL)) {
+ 				result = 0;
+-				continue;
++				goto next;
+ 			}
+ 			if (ci->user == NULL)
+ 				match_test_missing_fatal("Group", "user");
+@@ -1205,7 +1205,7 @@ match_cfg_line(const char *full_line, in
+ 		} else if (strcasecmp(attrib, "host") == 0) {
+ 			if (ci == NULL || (ci->test && ci->host == NULL)) {
+ 				result = 0;
+-				continue;
++				goto next;
+ 			}
+ 			if (ci->host == NULL)
+ 				match_test_missing_fatal("Host", "host");
+@@ -1220,7 +1220,7 @@ match_cfg_line(const char *full_line, in
+ 					fatal("Invalid Match address argument "
+ 					    "'%s' at line %d", arg, line);
+ 				result = 0;
+-				continue;
++				goto next;
+ 			}
+ 			if (ci->address == NULL)
+ 				match_test_missing_fatal("Address", "addr");
+@@ -1244,7 +1244,7 @@ match_cfg_line(const char *full_line, in
+ 					    "argument '%s' at line %d", arg,
+ 					    line);
+ 				result = 0;
+-				continue;
++				goto next;
+ 			}
+ 			if (ci->laddress == NULL)
+ 				match_test_missing_fatal("LocalAddress",
+@@ -1272,7 +1272,7 @@ match_cfg_line(const char *full_line, in
+ 			}
+ 			if (ci == NULL || (ci->test && ci->lport == -1)) {
+ 				result = 0;
+-				continue;
++				goto next;
+ 			}
+ 			if (ci->lport == 0)
+ 				match_test_missing_fatal("LocalPort", "lport");
+@@ -1286,7 +1286,7 @@ match_cfg_line(const char *full_line, in
+ 		} else if (strcasecmp(attrib, "rdomain") == 0) {
+ 			if (ci == NULL || (ci->test && ci->rdomain == NULL)) {
+ 				result = 0;
+-				continue;
++				goto next;
+ 			}
+ 			if (ci->rdomain == NULL)
+ 				match_test_missing_fatal("RDomain", "rdomain");
+@@ -1300,6 +1300,7 @@ match_cfg_line(const char *full_line, in
+ 			result = -1;
+ 			goto out;
+ 		}
++next:
+ 		free(attrib);
+ 		attrib = NULL;
+ 	}
 @@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
  		if (*activep && *charptr == NULL) {
  			*charptr = tilde_expand_filename(arg, getuid());
@@ -246,3 +388,22 @@ diff -up openssh-8.5p1/ssh-keygen.c.coverity openssh-8.5p1/ssh-keygen.c
  		} else {
  			if (strncasecmp(cp, "key:", 4) == 0) {
  				cp += 4;
+diff --color -ruNp a/sshd.c b/sshd.c
+--- a/sshd.c	2026-04-01 14:29:14.186736233 +0200
++++ b/sshd.c	2026-04-01 14:36:59.136881819 +0200
+@@ -1079,6 +1079,7 @@ server_accept_loop(int *sock_in, int *so
+ 				send_rexec_state(config_s[0], cfg);
+ 				close(config_s[0]);
+ 				free(pfd);
++				free(startup_pollfd);
+ 				return;
+ 			}
+ 
+@@ -1111,6 +1112,7 @@ server_accept_loop(int *sock_in, int *so
+ 				    log_stderr);
+ 				close(config_s[0]);
+ 				free(pfd);
++				free(startup_pollfd);
+ 				return;
+ 			}
+ 

openssh-9.9p1-authorized-keys-principles-option.patch

@@ -0,0 +1,45 @@
+diff --color -ruNp a/auth2-pubkeyfile.c b/auth2-pubkeyfile.c
+--- a/auth2-pubkeyfile.c	2024-09-20 00:20:48.000000000 +0200
++++ b/auth2-pubkeyfile.c	2026-04-09 14:38:41.697178612 +0200
+@@ -50,6 +50,7 @@
+ #include "authfile.h"
+ #include "match.h"
+ #include "ssherr.h"
++#include "xmalloc.h"
+ 
+ int
+ auth_authorise_keyopts(struct passwd *pw, struct sshauthopt *opts,
+@@ -146,20 +147,23 @@ auth_authorise_keyopts(struct passwd *pw
+ static int
+ match_principals_option(const char *principal_list, struct sshkey_cert *cert)
+ {
+-	char *result;
++	char *list, *olist, *entry;
+ 	u_int i;
+ 
+-	/* XXX percent_expand() sequences for authorized_principals? */
+-
+-	for (i = 0; i < cert->nprincipals; i++) {
+-		if ((result = match_list(cert->principals[i],
+-		    principal_list, NULL)) != NULL) {
+-			debug3("matched principal from key options \"%.100s\"",
+-			    result);
+-			free(result);
+-			return 1;
++	olist = list = xstrdup(principal_list);
++	for (;;) {
++		if ((entry = strsep(&list, ",")) == NULL || *entry == '\0')
++			break;
++		for (i = 0; i < cert->nprincipals; i++) {
++			if (strcmp(entry, cert->principals[i]) == 0) {
++				debug3("matched principal from key i"
++				    "options \"%.100s\"", entry);
++				free(olist);
++				return 1;
++			}
+ 		}
+ 	}
++	free(olist);
+ 	return 0;
+ }
+ 

openssh-9.9p1-ecdsa-incomplete-application.patch

@@ -0,0 +1,103 @@
+diff --color -ruNp a/auth2-hostbased.c b/auth2-hostbased.c
+--- a/auth2-hostbased.c	2026-04-09 13:22:28.114045749 +0200
++++ b/auth2-hostbased.c	2026-04-09 14:34:44.876393822 +0200
+@@ -96,9 +96,10 @@ userauth_hostbased(struct ssh *ssh, cons
+ 		error_f("cannot decode key: %s", pkalg);
+ 		goto done;
+ 	}
+-	if (key->type != pktype) {
+-		error_f("type mismatch for decoded key "
+-		    "(received %d, expected %d)", key->type, pktype);
++	if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA &&
++	    sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) {
++		error_f("key type mismatch for decoded key "
++		    "(received %s, expected %s)", sshkey_ssh_name(key), pkalg);
+ 		goto done;
+ 	}
+ 	if (match_pattern_list(pkalg, options.hostbased_accepted_algos, 0) != 1) {
+diff --color -ruNp a/auth2-pubkey.c b/auth2-pubkey.c
+--- a/auth2-pubkey.c	2026-04-09 13:22:28.157194118 +0200
++++ b/auth2-pubkey.c	2026-04-09 14:35:48.997689347 +0200
+@@ -152,9 +152,10 @@ userauth_pubkey(struct ssh *ssh, const c
+ 		error_f("cannot decode key: %s", pkalg);
+ 		goto done;
+ 	}
+-	if (key->type != pktype) {
+-		error_f("type mismatch for decoded key "
+-		    "(received %d, expected %d)", key->type, pktype);
++	if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA &&
++	    sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) {
++		error_f("key type mismatch for decoded key "
++		    "(received %s, expected %s)", sshkey_ssh_name(key), pkalg);
+ 		goto done;
+ 	}
+ 	if (auth2_key_already_used(authctxt, key)) {
+diff --color -ruNp a/sshconnect2.c b/sshconnect2.c
+--- a/sshconnect2.c	2026-04-09 13:22:28.193412553 +0200
++++ b/sshconnect2.c	2026-04-09 14:42:37.644945762 +0200
+@@ -91,6 +91,7 @@ extern Options options;
+ static char *xxx_host;
+ static struct sockaddr *xxx_hostaddr;
+ static const struct ssh_conn_info *xxx_conn_info;
++static int key_type_allowed(struct sshkey *, const char *);
+ 
+ static int
+ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+@@ -100,6 +101,10 @@ verify_host_key_callback(struct sshkey *
+ 	if ((r = sshkey_check_rsa_length(hostkey,
+ 	    options.required_rsa_size)) != 0)
+ 		fatal_r(r, "Bad server host key");
++	if (!key_type_allowed(hostkey, options.hostkeyalgorithms)) {
++		fatal("Server host key %s not in HostKeyAlgorithms",
++		    sshkey_ssh_name(hostkey));
++	}
+ 	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
+ 	    xxx_conn_info) != 0)
+ 		fatal("Host key verification failed.");
+@@ -1776,34 +1781,37 @@ load_identity_file(Identity *id)
+ }
+ 
+ static int
+-key_type_allowed_by_config(struct sshkey *key)
++key_type_allowed(struct sshkey *key, const char *allowlist)
+ {
+-	if (match_pattern_list(sshkey_ssh_name(key),
+-	    options.pubkey_accepted_algos, 0) == 1)
++	if (match_pattern_list(sshkey_ssh_name(key), allowlist, 0) == 1)
+ 		return 1;
+ 
+ 	/* RSA keys/certs might be allowed by alternate signature types */
+ 	switch (key->type) {
+ 	case KEY_RSA:
+-		if (match_pattern_list("rsa-sha2-512",
+-		    options.pubkey_accepted_algos, 0) == 1)
++		if (match_pattern_list("rsa-sha2-512", allowlist, 0) == 1)
+ 			return 1;
+-		if (match_pattern_list("rsa-sha2-256",
+-		    options.pubkey_accepted_algos, 0) == 1)
++		if (match_pattern_list("rsa-sha2-256", allowlist, 0) == 1)
+ 			return 1;
+ 		break;
+ 	case KEY_RSA_CERT:
+ 		if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
+-		    options.pubkey_accepted_algos, 0) == 1)
++		    allowlist, 0) == 1)
+ 			return 1;
+ 		if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
+-		    options.pubkey_accepted_algos, 0) == 1)
++		    allowlist, 0) == 1)
+ 			return 1;
+ 		break;
+ 	}
+ 	return 0;
+ }
+ 
++static int
++key_type_allowed_by_config(struct sshkey *key)
++{
++	return key_type_allowed(key, options.pubkey_accepted_algos);
++}
++
+ /* obtain a list of keys from the agent */
+ static int
+ get_agent_identities(struct ssh *ssh, int *agent_fdp,

openssh-9.9p1-fill-default-options-error.patch

@@ -0,0 +1,24 @@
+diff --color -ruNp a/readconf.c b/readconf.c
+--- a/readconf.c	2026-04-02 15:36:49.624394836 +0200
++++ b/readconf.c	2026-04-02 15:43:15.115047190 +0200
+@@ -2779,7 +2779,7 @@ fill_default_options(Options * options)
+ {
+ 	char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
+ 	char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
+-	int ret = 0, r;
++	int ret = 0;
+ 
+ 	if (options->forward_agent == -1)
+ 		options->forward_agent = 0;
+@@ -2989,9 +2989,9 @@ fill_default_options(Options * options)
+ 	    KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
+ #define ASSEMBLE(what, defaults, all) \
+ 	do { \
+-		if ((r = kex_assemble_names(&options->what, \
++		if ((ret = kex_assemble_names(&options->what, \
+ 		    defaults, all)) != 0) { \
+-			error_fr(r, "%s", #what); \
++			error_fr(ret, "%s", #what); \
+ 			goto fail; \
+ 		} \
+ 	} while (0)

openssh-9.9p1-gssapi-s4u.patch

@@ -55,7 +55,7 @@ diff --color -ruNp a/gss-serv.c b/gss-serv.c
  
  ssh_gssapi_mech gssapi_null_mech =
      { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL};
-@@ -486,26 +486,351 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
+@@ -486,26 +486,382 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
  	return (ctx->major);
  }
  
@@ -184,12 +184,43 @@ diff --color -ruNp a/gss-serv.c b/gss-serv.c
 +	    (unsigned)getuid(), (unsigned)geteuid(), lname);
 +#ifdef HAVE_GSS_ACQUIRE_CRED_FROM
 +	{
++# if defined(KRB5)
++		/*
++		 * Resolve the keytab path: krb5_kt_default_name respects
++		 * KRB5_KTNAME and krb5.conf default_keytab_name.
++		 */
++		char keytab_name[MAXPATHLEN];
++		krb5_context tmp_ctx;
++
++
++		keytab_name[0] = '\0';
++		if (krb5_init_context(&tmp_ctx) == 0) {
++			(void)krb5_kt_default_name(tmp_ctx, keytab_name,
++			    sizeof(keytab_name));
++			krb5_free_context(tmp_ctx);
++		}
++		if (keytab_name[0] == '\0')
++			strlcpy(keytab_name, "FILE:/etc/krb5.keytab",
++			    sizeof(keytab_name));
++		/*
++		 * client_keytab lets GSSAPI do AS-REQ to obtain a TGT for the
++		 * host principal (initiator role needed for S4U2Self).
++		 * keytab covers the acceptor role.
++		 * ccache: MEMORY: keeps the resulting TGT volatile.
++		 */
 +		gss_key_value_element_desc store_elements[] = {
-+			{ "client_keytab", "/etc/krb5.keytab" },
-+			{ "keytab",        "/etc/krb5.keytab" },
-+			{ "ccache",        "MEMORY:"          },
++			{ "client_keytab", keytab_name },
++			{ "keytab", keytab_name },
++			{ "ccache", "MEMORY:" },
 +		};
 +		const gss_key_value_set_desc cred_store = { 3, store_elements };
++# else
++		gss_key_value_element_desc store_elements[] = {
++			{ "ccache", "MEMORY:" },
++		};
++		const gss_key_value_set_desc cred_store = { 1, store_elements };
++# endif
++
 +
 +		major = gss_acquire_cred_from(&minor, host_name, lifetime,
 +		    oidset, GSS_C_BOTH, &cred_store, &host_creds, NULL, NULL);

openssh-9.9p1-mux-askpass-check.patch

@@ -0,0 +1,20 @@
+diff --color -ruNp a/mux.c b/mux.c
+--- a/mux.c	2024-09-20 00:20:48.000000000 +0200
++++ b/mux.c	2026-04-09 15:02:36.016198814 +0200
+@@ -1137,6 +1137,16 @@ mux_master_process_proxy(struct ssh *ssh
+ 
+ 	debug_f("channel %d: proxy request", c->self);
+ 
++	if (options.control_master == SSHCTL_MASTER_ASK ||
++	    options.control_master == SSHCTL_MASTER_AUTO_ASK) {
++		if (!ask_permission("Allow multiplex proxy connection?")) {
++			debug2_f("proxy refused by user");
++			reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
++			    "Permission denied");
++			return 0;
++		}
++	}
++
+ 	c->mux_rcb = channel_proxy_downstream;
+ 	if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 ||
+ 	    (r = sshbuf_put_u32(reply, rid)) != 0)

openssh-9.9p1-proxyjump-username-validity-checks.patch

@@ -0,0 +1,402 @@
+diff --color -ruNp a/readconf.c b/readconf.c
+--- a/readconf.c	2026-04-10 15:42:50.693725820 +0200
++++ b/readconf.c	2026-04-10 15:49:57.441110287 +0200
+@@ -1533,9 +1533,6 @@ parse_char_array:
+ 
+ 	case oProxyCommand:
+ 		charptr = &options->proxy_command;
+-		/* Ignore ProxyCommand if ProxyJump already specified */
+-		if (options->jump_host != NULL)
+-			charptr = &options->jump_host; /* Skip below */
+ parse_command:
+ 		if (str == NULL) {
+ 			error("%.200s line %d: Missing argument.",
+@@ -1556,7 +1553,7 @@ parse_command:
+ 		}
+ 		len = strspn(str, WHITESPACE "=");
+ 		/* XXX use argv? */
+-		if (parse_jump(str + len, options, *activep) == -1) {
++		if (parse_jump(str + len, options, cmdline, *activep) == -1) {
+ 			error("%.200s line %d: Invalid ProxyJump \"%s\"",
+ 			    filename, linenum, str + len);
+ 			goto out;
+@@ -3370,65 +3367,116 @@ parse_forward(struct Forward *fwd, const
+ }
+ 
+ int
+-parse_jump(const char *s, Options *o, int active)
++ssh_valid_hostname(const char *s)
+ {
+-	char *orig, *sdup, *cp;
+-	char *host = NULL, *user = NULL;
+-	int r, ret = -1, port = -1, first;
++	size_t i;
+ 
+-	active &= o->proxy_command == NULL && o->jump_host == NULL;
++	if (*s == '-')
++		return 0;
++	for (i = 0; s[i] != 0; i++) {
++		if (strchr("'`\"$\\;&<>|(){},", s[i]) != NULL ||
++		    isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
++			return 0;
++	}
++	return 1;
++}
+ 
+-	orig = sdup = xstrdup(s);
++int
++ssh_valid_ruser(const char *s)
++{
++	size_t i;
++
++	if (*s == '-')
++		return 0;
++	for (i = 0; s[i] != 0; i++) {
++		if (iscntrl((u_char)s[i]))
++			return 0;
++		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
++			return 0;
++		/* Disallow '-' after whitespace */
++		if (isspace((u_char)s[i]) && s[i + 1] == '-')
++			return 0;
++		/* Disallow \ in last position */
++		if (s[i] == '\\' && s[i + 1] == '\0')
++			return 0;
++	}
++	return 1;
++}
++
++int
++parse_jump(const char *s, Options *o, int strict, int active)
++{
++	char *orig = NULL, *sdup = NULL, *cp;
++	char *tmp_user = NULL, *tmp_host = NULL, *host = NULL, *user = NULL;
++	int r, ret = -1, tmp_port = -1, port = -1, first = 1;
++
++	if (strcasecmp(s, "none") == 0) {
++		if (active && o->jump_host == NULL) {
++			o->jump_host = xstrdup("none");
++			o->jump_port = 0;
++		}
++		return 0;
++	}
+ 
+-	/* Remove comment and trailing whitespace */
++	orig = xstrdup(s);
+ 	if ((cp = strchr(orig, '#')) != NULL)
+ 		*cp = '\0';
+ 	rtrim(orig);
+ 
+-	first = active;
++	active &= o->proxy_command == NULL && o->jump_host == NULL;
++	sdup = xstrdup(orig);
+ 	do {
+-		if (strcasecmp(s, "none") == 0)
+-			break;
++		/* Work backwards through string */
+ 		if ((cp = strrchr(sdup, ',')) == NULL)
+ 			cp = sdup; /* last */
+ 		else
+ 			*cp++ = '\0';
+ 
+-		if (first) {
+-			/* First argument and configuration is active */
+-			r = parse_ssh_uri(cp, &user, &host, &port);
+-			if (r == -1 || (r == 1 &&
+-			    parse_user_host_port(cp, &user, &host, &port) != 0))
++		r = parse_ssh_uri(cp, &tmp_user, &tmp_host, &tmp_port);
++		if (r == -1 || (r == 1 && parse_user_host_port(cp,
++		    &tmp_user, &tmp_host, &tmp_port) != 0))
++			goto out; /* error already logged */
++		if (strict) {
++			if (!ssh_valid_hostname(tmp_host)) {
++				error_f("invalid hostname \"%s\"", tmp_host);
+ 				goto out;
+-		} else {
+-			/* Subsequent argument or inactive configuration */
+-			r = parse_ssh_uri(cp, NULL, NULL, NULL);
+-			if (r == -1 || (r == 1 &&
+-			    parse_user_host_port(cp, NULL, NULL, NULL) != 0))
++			}
++			if (tmp_user != NULL && !ssh_valid_ruser(tmp_user)) {
++				error_f("invalid username \"%s\"", tmp_user);
+ 				goto out;
++			}
++		}
++		if (first) {
++			user = tmp_user;
++			host = tmp_host;
++			port = tmp_port;
++			tmp_user = tmp_host = NULL; /* transferred */
+ 		}
+ 		first = 0; /* only check syntax for subsequent hosts */
++		free(tmp_user);
++		free(tmp_host);
++		tmp_user = tmp_host = NULL;
++		tmp_port = -1;
+ 	} while (cp != sdup);
++
+ 	/* success */
+ 	if (active) {
+-		if (strcasecmp(s, "none") == 0) {
+-			o->jump_host = xstrdup("none");
+-			o->jump_port = 0;
+-		} else {
+-			o->jump_user = user;
+-			o->jump_host = host;
+-			o->jump_port = port;
+-			o->proxy_command = xstrdup("none");
+-			user = host = NULL;
+-			if ((cp = strrchr(s, ',')) != NULL && cp != s) {
+-				o->jump_extra = xstrdup(s);
+-				o->jump_extra[cp - s] = '\0';
+-			}
++		o->jump_user = user;
++		o->jump_host = host;
++		o->jump_port = port;
++		o->proxy_command = xstrdup("none");
++		user = host = NULL; /* transferred */
++		if (orig != NULL && (cp = strrchr(orig, ',')) != NULL) {
++			o->jump_extra = xstrdup(orig);
++			o->jump_extra[cp - orig] = '\0';
+ 		}
+ 	}
+ 	ret = 0;
+  out:
+ 	free(orig);
++	free(sdup);
++	free(tmp_user);
++	free(tmp_host);
+ 	free(user);
+ 	free(host);
+ 	return ret;
+diff --color -ruNp a/readconf.h b/readconf.h
+--- a/readconf.h	2026-04-10 15:42:50.470697714 +0200
++++ b/readconf.h	2026-04-10 15:49:57.442110306 +0200
+@@ -249,7 +249,9 @@ int	 process_config_line(Options *, stru
+ int	 read_config_file(const char *, struct passwd *, const char *,
+     const char *, Options *, int, int *);
+ int	 parse_forward(struct Forward *, const char *, int, int);
+-int	 parse_jump(const char *, Options *, int);
++int	 ssh_valid_hostname(const char *);
++int	 ssh_valid_ruser(const char *);
++int	 parse_jump(const char *, Options *, int, int);
+ int	 parse_ssh_uri(const char *, char **, char **, int *);
+ int	 default_ssh_port(void);
+ int	 option_clear_or_none(const char *);
+diff --color -ruNp a/regress/Makefile b/regress/Makefile
+--- a/regress/Makefile	2026-04-10 15:42:50.533815702 +0200
++++ b/regress/Makefile	2026-04-10 16:07:30.566094450 +0200
+@@ -111,7 +111,8 @@ LTESTS= 	connect \
+ 		agent-pkcs11-restrict \
+ 		agent-pkcs11-cert \
+ 		penalty \
+-		penalty-expire
++		penalty-expire \
++		proxyjump
+ 
+ INTEROP_TESTS=	putty-transfer putty-ciphers putty-kex conch-ciphers
+ INTEROP_TESTS+=	dropbear-ciphers dropbear-kex
+diff --color -ruNp a/regress/proxyjump.sh b/regress/proxyjump.sh
+--- a/regress/proxyjump.sh	1970-01-01 01:00:00.000000000 +0100
++++ b/regress/proxyjump.sh	2026-04-10 16:07:55.225958206 +0200
+@@ -0,0 +1,102 @@
++#	$OpenBSD: proxyjump.sh,v 1.1 2026/03/30 07:19:02 djm Exp $
++#	Placed in the Public Domain.
++
++tid="proxyjump"
++
++# Parsing tests
++verbose "basic parsing"
++for jspec in \
++	"jump1" \
++	"user@jump1" \
++	"jump1:2222" \
++	"user@jump1:2222" \
++	"jump1,jump2" \
++	"user1@jump1:2221,user2@jump2:2222" \
++	"ssh://user@host:2223" \
++	; do
++	case "$jspec" in
++	"jump1")		expected="jump1" ;;
++	"user@jump1")		expected="user@jump1" ;;
++	"jump1:2222")		expected="jump1:2222" ;;
++	"user@jump1:2222")	expected="user@jump1:2222" ;;
++	"jump1,jump2")		expected="jump1,jump2" ;;
++	"user1@jump1:2221,user2@jump2:2222")
++		expected="user1@jump1:2221,user2@jump2:2222" ;;
++	"ssh://user@host:2223")	expected="user@host:2223" ;;
++	esac
++	f=`${SSH} -GF /dev/null -oProxyJump="$jspec" somehost | \
++		awk '/^proxyjump /{print $2}'`
++	if [ "$f" != "$expected" ]; then
++		fail "ProxyJump $jspec: expected $expected, got $f"
++	fi
++	f=`${SSH} -GF /dev/null -J "$jspec" somehost | \
++		awk '/^proxyjump /{print $2}'`
++	if [ "$f" != "$expected" ]; then
++		fail "ssh -J $jspec: expected $expected, got $f"
++	fi
++done
++
++verbose "precedence"
++f=`${SSH} -GF /dev/null -oProxyJump=none -oProxyJump=jump1 somehost | \
++	grep "^proxyjump "`
++if [ -n "$f" ]; then
++	fail "ProxyJump=none first did not win"
++fi
++f=`${SSH} -GF /dev/null -oProxyJump=jump -oProxyCommand=foo somehost | \
++	grep "^proxyjump "`
++if [ "$f" != "proxyjump jump" ]; then
++	fail "ProxyJump first did not win over ProxyCommand"
++fi
++f=`${SSH} -GF /dev/null -oProxyCommand=foo -oProxyJump=jump somehost | \
++	grep "^proxycommand "`
++if [ "$f" != "proxycommand foo" ]; then
++	fail "ProxyCommand first did not win over ProxyJump"
++fi
++
++verbose "command-line -J invalid characters"
++cp $OBJ/ssh_config $OBJ/ssh_config.orig
++for jspec in \
++	"host;with;semicolon" \
++	"host'with'quote" \
++	"host\`with\`backtick" \
++	"host\$with\$dollar" \
++	"host(with)brace" \
++	"user;with;semicolon@host" \
++	"user'with'quote@host" \
++	"user\`with\`backtick@host" \
++	"user(with)brace@host" ; do
++	${SSH} -GF /dev/null -J "$jspec" somehost >/dev/null 2>&1
++	if [ $? -ne 255 ]; then
++		fail "ssh -J \"$jspec\" was not rejected"
++	fi
++	${SSH} -GF /dev/null -oProxyJump="$jspec" somehost >/dev/null 2>&1
++	if [ $? -ne 255 ]; then
++		fail "ssh -oProxyJump=\"$jspec\" was not rejected"
++	fi
++done
++# Special characters should be accepted in the config though.
++echo "ProxyJump user;with;semicolon@host;with;semicolon" >> $OBJ/ssh_config
++f=`${SSH} -GF $OBJ/ssh_config somehost | grep "^proxyjump "`
++if [ "$f" != "proxyjump user;with;semicolon@host;with;semicolon" ]; then
++	fail "ProxyJump did not allow special characters in config: $f"
++fi
++
++verbose "functional test"
++# Use different names to avoid the loop detection in ssh.c
++grep -iv HostKeyAlias $OBJ/ssh_config.orig > $OBJ/ssh_config
++cat << _EOF >> $OBJ/ssh_config
++Host jump-host
++	HostkeyAlias jump-host
++Host target-host
++	HostkeyAlias target-host
++_EOF
++cp $OBJ/known_hosts $OBJ/known_hosts.orig
++sed 's/^[^ ]* /jump-host /' < $OBJ/known_hosts.orig > $OBJ/known_hosts
++sed 's/^[^ ]* /target-host /' < $OBJ/known_hosts.orig >> $OBJ/known_hosts
++start_sshd
++
++verbose "functional ProxyJump"
++res=`${REAL_SSH} -F $OBJ/ssh_config -J jump-host target-host echo "SUCCESS" 2>/dev/null`
++if [ "$res" != "SUCCESS" ]; then
++	fail "functional test failed: expected SUCCESS, got $res"
++fi
+diff --color -ruNp a/ssh.c b/ssh.c
+--- a/ssh.c	2026-04-10 15:42:50.657913189 +0200
++++ b/ssh.c	2026-04-10 16:04:07.489047966 +0200
+@@ -639,43 +639,6 @@ ssh_conn_info_free(struct ssh_conn_info
+ 	free(cinfo);
+ }
+ 
+-static int
+-valid_hostname(const char *s)
+-{
+-	size_t i;
+-
+-	if (*s == '-')
+-		return 0;
+-	for (i = 0; s[i] != 0; i++) {
+-		if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
+-		    isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
+-			return 0;
+-	}
+-	return 1;
+-}
+-
+-static int
+-valid_ruser(const char *s)
+-{
+-	size_t i;
+-
+-	if (*s == '-')
+-		return 0;
+-	for (i = 0; s[i] != 0; i++) {
+-		if (iscntrl((u_char)s[i]))
+-			return 0;
+-		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+-			return 0;
+-		/* Disallow '-' after whitespace */
+-		if (isspace((u_char)s[i]) && s[i + 1] == '-')
+-			return 0;
+-		/* Disallow \ in last position */
+-		if (s[i] == '\\' && s[i + 1] == '\0')
+-			return 0;
+-	}
+-	return 1;
+-}
+-
+ /*
+  * Main program for the ssh client.
+  */
+@@ -931,9 +894,9 @@ main(int ac, char **av)
+ 			}
+ 			if (options.proxy_command != NULL)
+ 				fatal("Cannot specify -J with ProxyCommand");
+-			if (parse_jump(optarg, &options, 1) == -1)
++			if (parse_jump(optarg, &options, 1, 1) == -1)
++
+ 				fatal("Invalid -J argument");
+-			options.proxy_command = xstrdup("none");
+ 			break;
+ 		case 't':
+ 			if (options.request_tty == REQUEST_TTY_YES)
+@@ -1183,10 +1146,15 @@ main(int ac, char **av)
+ 	if (!host)
+ 		usage();
+ 
+-	if (!valid_hostname(host))
+-		fatal("hostname contains invalid characters");
+-	if (options.user != NULL && !valid_ruser(options.user))
++	/*
++	 * Validate commandline-specified values that end up in %tokens
++	 * before they are used in config parsing.
++	 */
++	if (options.user != NULL && !ssh_valid_ruser(options.user))
+ 		fatal("remote username contains invalid characters");
++	if (!ssh_valid_hostname(host))
++		fatal("hostname contains invalid characters");
++
+ 	options.host_arg = xstrdup(host);
+ 
+ 	/* Initialize the command to execute on remote host. */
+@@ -1347,7 +1315,8 @@ main(int ac, char **av)
+ 			sshbin = "ssh";
+ 
+ 		/* Consistency check */
+-		if (options.proxy_command != NULL)
++		if (options.proxy_command != NULL &&
++		    strcasecmp(options.proxy_command, "none") != 0)
+ 			fatal("inconsistent options: ProxyCommand+ProxyJump");
+ 		/* Never use FD passing for ProxyJump */
+ 		options.proxy_use_fdpass = 0;
+@@ -1467,7 +1436,7 @@ main(int ac, char **av)
+ 	cinfo->jmphost = xstrdup(options.jump_host == NULL ?
+ 	    "" : options.jump_host);
+ 
+-	if (user_on_commandline && !valid_ruser(options.user))
++	if (user_on_commandline && !ssh_valid_ruser(options.user))
+ 		fatal("remote username contains invalid characters");
+ 
+ 	cinfo->conn_hash_hex = ssh_connection_hash(cinfo->thishost,

openssh-9.9p1-scp-clear-setuid.patch

@@ -0,0 +1,15 @@
+diff --color -ruNp a/scp.c b/scp.c
+--- a/scp.c	2026-04-07 15:54:11.193730842 +0200
++++ b/scp.c	2026-04-07 15:55:52.529425481 +0200
+@@ -1705,8 +1705,10 @@ sink(int argc, char **argv, const char *
+ 
+ 	setimes = targisdir = 0;
+ 	mask = umask(0);
+-	if (!pflag)
++	if (!pflag) {
++		mask |= 07000;
+ 		(void) umask(mask);
++	}
+ 	if (argc != 1) {
+ 		run_err("ambiguous target");
+ 		exit(1);

openssh.spec

@@ -43,7 +43,7 @@
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: 24%{?dist}.alma.1
+Release: 26%{?dist}.alma.1
 URL: http://www.openssh.com/portable.html
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@@ -237,6 +237,21 @@ Patch1037: openssh-9.9p1-first-match-wins.patch
 # upstream eddd1d2daa64a6ab1a915ca88436fa41aede44d4
 # upstream bc328144f149af07139a0f2c1329018cd85b86b7
 Patch1038: openssh-9.9p1-maxstartups-mistracking.patch
+# https://github.com/openssh/openssh-portable/pull/649
+Patch1039: openssh-9.9p1-fill-default-options-error.patch
+# upstream 487e8ac146f7d6616f65c125d5edb210519b833a
+Patch1040: openssh-9.9p1-scp-clear-setuid.patch
+# upstream c805b97b67c774e0bf922ffb29dfbcda9d7b5add
+Patch1041: openssh-9.9p1-mux-askpass-check.patch
+# upstream fd1c7e131f331942d20f42f31e79912d570081fa
+Patch1042: openssh-9.9p1-ecdsa-incomplete-application.patch
+# upstream fd1c7e131f331942d20f42f31e79912d570081fa
+Patch1043: openssh-9.9p1-authorized-keys-principles-option.patch
+# upstream 76685c9b09a66435cd2ad8373246adf1c53976d3
+# upstream 0a0ef4515361143cad21afa072319823854c1cf6
+# upstream 607bd871ec029e9aa22e632a22547250f3cae223
+# upstream 1340d3fa8e4bb122906a82159c4c9b91584d65ce
+Patch1044: openssh-9.9p1-proxyjump-username-validity-checks.patch
 
 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND snprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin
@@ -439,6 +454,12 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 %patch -P 1036 -p1 -b .gssapi-s4u
 %patch -P 1037 -p1 -b .first-match-wins
 %patch -P 1038 -p1 -b .maxstartups-mistracking
+%patch -P 1039 -p1 -b .fill-default-options-error
+%patch -P 1040 -p1 -b .scp-clear-setuid
+%patch -P 1041 -p1 -b .mux-askpass-check
+%patch -P 1042 -p1 -b .ecdsa-incomplete-application
+%patch -P 1043 -p1 -b .authorized-keys-principles-option
+%patch -P 1044 -p1 -b .proxyjump-username-validity-checks
 
 %patch -P 100 -p1 -b .coverity
 
@@ -719,9 +740,35 @@ test -f %{sysconfig_anaconda} && \
 %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
 
 %changelog
-* Sat Mar 28 2026 Koichiro Iwao <meta@almalinux.org> - 9.9p1-24.alma.1
+* Wed Apr 15 2026 Koichiro Iwao <meta@almalinux.org> - 9.9p1-26.alma.1
 - Unpatch Red Hat help message
 
+* Tue Apr 14 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-26
+- Improve keytab detection when obtaining Kerberos tickets on behalf of user on SSH authentication
+  Related: RHEL-92932
+- Add missing NULL check for server key generation in ML-KEM hybrids
+  Resolves: RHEL-168106
+
+* Wed Apr 01 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-25
+- Fix static analysis issues
+  Resolves: RHEL-163365
+- Ssh should refuse connection when mlkem kex is specified in FIPS
+  Resolves: RHEL-155178
+- CVE-2026-35385: Fix privilege escalation via scp legacy protocol
+  when not in preserving file mode
+  Resolves: RHEL-164740
+- CVE-2026-35388: Add connection multiplexing confirmation for proxy-mode
+  multiplexing sessions
+  Resolves: RHEL-166239
+- CVE-2026-35387: Fix incomplete application of PubkeyAcceptedAlgorithms
+  and HostbasedAcceptedAlgorithms with regard to ECDSA keys
+  Resolves: RHEL-166223
+- CVE-2026-35414: Fix mishandling of authorized_keys principals option
+  Resolves: RHEL-166191
+- CVE-2026-35386: Add validation rules to usernames and hostnames
+  set for ProxyJump/-J on the commandline
+  Resolves: RHEL-166207
+
 * Fri Mar 27 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-24
 - Fix typo in SPDX license name
   Resolves: RHEL-161464