Implement obtaining Kerberos tickets on behalf of user on SSH authentication

Resolves: RHEL-92932

openssh.spec

@@ -43,7 +43,7 @@
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: 20%{?dist}
+Release: 21%{?dist}
 URL: http://www.openssh.com/portable.html
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@@ -227,6 +227,7 @@ Patch1032: openssh-9.9p1-reject-cntrl-chars-in-username.patch
 Patch1033: openssh-9.9p1-reject-null-char-in-url-string.patch
 Patch1034: openssh-9.9p1-sshd-no-delegate-credentials.patch
 Patch1035: openssh-10.0-mlkem-nist-fips.patch
+Patch1036: openssh-9.9p1-gssapi-s4u.patch
 
 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin
@@ -427,6 +428,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 %patch -P 1033 -p1 -b .reject-null-char-in-url-string
 %patch -P 1034 -p1 -b .sshd-nogsscreds
 %patch -P 1035 -p1 -b .mlkem-nist-fips
+%patch -P 1036 -p1 -b .gssapi-s4u
 
 %patch -P 100 -p1 -b .coverity
 
@@ -707,6 +709,10 @@ test -f %{sysconfig_anaconda} && \
 %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
 
 %changelog
+* Wed Mar 11 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-21
+- Implement obtaining Kerberos tickets on behalf of user on SSH authentication
+  Resolves: RHEL-92932
+
 * Wed Feb 25 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-20
 - Provide a way to skip unsupported ML-KEM hybrid algorithms in FIPS mode
   Resolves: RHEL-151579