diff --git a/SOURCES/openssh-7.4p1-gss-strict-acceptor.patch b/SOURCES/openssh-7.4p1-gss-strict-acceptor.patch
new file mode 100644
index 0000000..878ce1a
--- /dev/null
+++ b/SOURCES/openssh-7.4p1-gss-strict-acceptor.patch
@@ -0,0 +1,28 @@
+From 13bd2e2d622d01dc85d22b94520a5b243d006049 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 6 Jan 2017 03:45:41 +0000
+Subject: [PATCH] upstream commit
+
+sshd_config is documented to set
+GSSAPIStrictAcceptorCheck=yes by default, so actually make it do this.
+bz#2637 ok dtucker
+
+Upstream-ID: 99ef8ac51f17f0f7aec166cb2e34228d4d72a665
+---
+ servconf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/servconf.c b/servconf.c
+index 795ddbab7..c9105a592 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -270,7 +270,7 @@ fill_default_server_options(ServerOptions *options)
+ 	if (options->gss_cleanup_creds == -1)
+ 		options->gss_cleanup_creds = 1;
+ 	if (options->gss_strict_acceptor == -1)
+-		options->gss_strict_acceptor = 0;
++		options->gss_strict_acceptor = 1;
+ 	if (options->gss_store_rekey == -1)
+ 		options->gss_store_rekey = 0;
+ 	if (options->password_authentication == -1)
+
diff --git a/SOURCES/openssh-7.4p1-gssKexAlgorithms.patch b/SOURCES/openssh-7.4p1-gssKexAlgorithms.patch
index 657610d..c83636e 100644
--- a/SOURCES/openssh-7.4p1-gssKexAlgorithms.patch
+++ b/SOURCES/openssh-7.4p1-gssKexAlgorithms.patch
@@ -240,7 +240,7 @@ diff -up openssh-7.4p1/servconf.c.gsskexalg openssh-7.4p1/servconf.c
  	options->kbd_interactive_authentication = -1;
  	options->challenge_response_authentication = -1;
 @@ -280,6 +281,10 @@ fill_default_server_options(ServerOption
- 		options->gss_strict_acceptor = 0;
+ 		options->gss_strict_acceptor = 1;
  	if (options->gss_store_rekey == -1)
  		options->gss_store_rekey = 0;
 +#ifdef GSSAPI
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
index 69a8ae4..c2ce291 100644
--- a/SPECS/openssh.spec
+++ b/SPECS/openssh.spec
@@ -64,7 +64,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 7.4p1
-%define openssh_rel 12
+%define openssh_rel 13
 %define pam_ssh_agent_ver 0.10.3
 %define pam_ssh_agent_rel 1
 
@@ -183,6 +183,9 @@ Patch900: openssh-6.1p1-gssapi-canohost.patch
 Patch901: openssh-7.4p1-kuserok.patch
 # use default_ccache_name from /etc/krb5.conf (#991186)
 Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch
+# Change GSSAPIStrictAcceptor to yes as it ever was (#1488982)
+Patch903: openssh-7.4p1-gss-strict-acceptor.patch
+
 # Run ssh-copy-id in the legacy mode when SSH_COPY_ID_LEGACY variable is set (#969375
 Patch905: openssh-7.4p1-legacy-ssh-copy-id.patch
 # Use tty allocation for a remote scp (#985650)
@@ -457,6 +460,8 @@ popd
 %patch900 -p1 -b .canohost
 %patch901 -p1 -b .kuserok
 %patch902 -p1 -b .ccache_name
+%patch903 -p1 -b .gss-strict
+
 %patch905 -p1 -b .legacy-ssh-copy-id
 %patch906 -p1 -b .fromto-remote
 %patch914 -p1 -b .log-sftp-only
@@ -812,6 +817,9 @@ getent passwd sshd >/dev/null || \
 %endif
 
 %changelog
+* Wed Sep 13 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-13 + 0.10.3-1
+- Revert default of GSSAPIStrictAcceptorCheck=no back to yes (#1488982)
+
 * Mon Aug 07 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-12 + 0.10.3-1
 - Revert upstream change to UseDNS=no back to yes (#1478175)