diff --git a/openssh-7.6p1-audit.patch b/openssh-7.6p1-audit.patch
index 2c7ddc5..a32abc9 100644
--- a/openssh-7.6p1-audit.patch
+++ b/openssh-7.6p1-audit.patch
@@ -2093,7 +2093,7 @@ diff -up openssh-8.6p1/sshd-session.c.audit openssh-8.6p1/sshd-session.c
 +#endif /* WITH_OPENSSL */
 +      case KEY_ED25519_CERT:
 +      case KEY_ED25519:
-+              return (k->ed25519_pk != NULL);
++              return (k->ed25519_sk != NULL);
 +      default:
 +              /* fatal("key_is_private: bad key type %d", k->type); */
 +              return 0;
diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch
index fcd0245..8d442a4 100644
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@@ -701,3 +701,29 @@ diff -up openssh-9.9p1/kex.c.xxx openssh-9.9p1/kex.c
  	if ((cp = kex_names_cat(kexalgos, ssh->kex->server ?
  	    "ext-info-s,kex-strict-s-v00@openssh.com" :
  	    "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
+diff --color -ruNp a/ssh-keyscan.c b/ssh-keyscan.c
+--- a/ssh-keyscan.c	2026-03-18 13:58:55.708193373 +0100
++++ b/ssh-keyscan.c	2026-03-18 15:34:35.495942538 +0100
+@@ -22,6 +22,7 @@
+ #ifdef WITH_OPENSSL
+ #include <openssl/bn.h>
+ #endif
++#include <openssl/fips.h>
+ 
+ #include <limits.h>
+ #include <netdb.h>
+@@ -239,6 +240,14 @@ keygrab_ssh2(con *c)
+ 	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
+ 	int r;
+ 
++	if (FIPS_mode()) {
++		myproposal[PROPOSAL_KEX_ALGS] = KEX_DEFAULT_KEX_FIPS;
++		myproposal[PROPOSAL_ENC_ALGS_CTOS] = KEX_FIPS_ENCRYPT;
++		myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
++		myproposal[PROPOSAL_MAC_ALGS_CTOS] = KEX_FIPS_MAC;
++		myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
++	}
++
+ 	switch (c->c_keytype) {
+ 	case KT_DSA:
+ 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
diff --git a/openssh-9.9p1-gssapi-s4u.patch b/openssh-9.9p1-gssapi-s4u.patch
index 31bf5d5..4dd3a09 100644
--- a/openssh-9.9p1-gssapi-s4u.patch
+++ b/openssh-9.9p1-gssapi-s4u.patch
@@ -828,7 +828,7 @@ diff --color -ruNp a/sshd_config.5 b/sshd_config.5
 +.Pp
 +The default is
 +.Cm no .
-+.It Cm GSSAPIS42UProxyServices
++.It Cm GSSAPIProxyS4U2Services
 +Specifies a list of Kerberos service principals for which constrained
 +delegation (S4U2Proxy) tickets should be obtained after a successful
 +S4U2Self protocol transition.
@@ -883,14 +883,14 @@ diff --color -ruNp a/sshd-session.c b/sshd-session.c
  		restore_uid();
  	}
 +	/*
-+	 * GSSAPIAllowS4U2Self / GSSAPIS42UProxyServices: if no credentials were stored
++	 * GSSAPIAllowS4U2Self / GSSAPIProxyS4U2Services: if no credentials were stored
 +	 * above (i.e. no GSSAPI auth with delegation occurred), use S4U2Self
 +	 * to obtain an impersonated credential for the user, then optionally
 +	 * follow with S4U2Proxy for configured target services.
 +	 *
 +	 * GSSAPIAllowS4U2Self alone:    store S4U2Self evidence ticket only;
 +	 *                            the host TGT is removed.
-+	 * GSSAPIS42UProxyServices alone: store host TGT and S4U2Proxy service
++	 * GSSAPIProxyS4U2Services alone: store host TGT and S4U2Proxy service
 +	 *                            tickets; the S4U2Self evidence ticket
 +	 *                            is removed.
 +	 * Both:                     store host TGT, S4U2Self evidence ticket,
@@ -961,7 +961,7 @@ diff --color -ruNp a/sshd-session.c b/sshd-session.c
 +			 * stay so that applications recognise the ccache as
 +			 * holding live Kerberos credentials.
 +			 * Remove the S4U2Self evidence ticket in proxy-only
-+			 * mode (GSSAPIS42UProxyServices without GSSAPIAllowS4U2Self).
++			 * mode (GSSAPIProxyS4U2Services without GSSAPIAllowS4U2Self).
 +			 */
 +			filter = 0;
 +			if (options.gss_allow_s4u2self &&
diff --git a/openssh.spec b/openssh.spec
index f19714e..69cff37 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -43,7 +43,7 @@
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: 22%{?dist}.alma.1
+Release: 23%{?dist}.alma.1
 URL: http://www.openssh.com/portable.html
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@@ -719,9 +719,17 @@ test -f %{sysconfig_anaconda} && \
 %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
 
 %changelog
-* Wed Mar 18 2026 Koichiro Iwao <meta@almalinux.org> - 9.9p1-22.alma.1
+* Wed Mar 25 2026 Koichiro Iwao <meta@almalinux.org> - 9.9p1-23.alma.1
 - Unpatch Red Hat help message
 
+* Wed Mar 18 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-23
+- Don't negotiate non-FIPS algorithms in ssh-keyscan key exchange in FIPS mode
+  Resolves: RHEL-88565
+- Fix duplicate audit log entry when destroying ed25519 private keys
+  Resolves: RHEL-46782
+- Fix typo in GSSAPIProxyS4U2Services
+  Related: RHEL-92932
+
 * Thu Mar 12 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-22
 - Remove recommendation of p11-kit
   Resolves: RHEL-139070