diff --git a/openssh-8.7p1-gssapi-auth.patch b/openssh-8.7p1-gssapi-auth.patch
new file mode 100644
index 0000000..6908cad
--- /dev/null
+++ b/openssh-8.7p1-gssapi-auth.patch
@@ -0,0 +1,20 @@
+diff --color -rup a/monitor.c b/monitor.c
+--- a/monitor.c 2022-07-11 15:11:28.146863144 +0200
++++ b/monitor.c 2022-07-11 15:15:35.726655877 +0200
+@@ -376,8 +376,15 @@ monitor_child_preauth(struct ssh *ssh, s
+ if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
+ auth_log(ssh, authenticated, partial,
+ auth_method, auth_submethod);
+- if (!partial && !authenticated)
++ if (!partial && !authenticated) {
++#ifdef GSSAPI
++ /* If gssapi-with-mic failed, MONITOR_REQ_GSSCHECKMIC is disabled.
++ * We have to reenable it to try again for gssapi-keyex */
++ if (strcmp(auth_method, "gssapi-with-mic") == 0 && options.gss_keyex)
++ monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
++#endif
+ authctxt->failures++;
++ }
+ if (authenticated || partial) {
+ auth2_update_session_info(authctxt,
+ auth_method, auth_submethod);
diff --git a/openssh.spec b/openssh.spec
index 61967bc..7610156 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -236,6 +236,10 @@ Patch1002: openssh-8.7p1-ssh-manpage.patch
# 6c31ba10e97b6953c4f325f526f3e846dfea647a
# 322964f8f2e9c321e77ebae1e4d2cd0ccc5c5a0b
Patch1003: openssh-8.7p1-mem-leak.patch
+# Reenable MONITOR_REQ_GSSCHECKMIC after gssapi-with-mic failures
+# upstream MR:
+# https://github.com/openssh-gsskex/openssh-gsskex/pull/21
+Patch1004: openssh-8.7p1-gssapi-auth.patch
License: BSD
Requires: /sbin/nologin
@@ -428,6 +432,7 @@ popd
%patch1001 -p1 -b .scp-clears-file
%patch1002 -p1 -b .ssh-manpage
%patch1003 -p1 -b .mem-leak
+%patch1004 -p1 -b .gssapi-auth
%patch100 -p1 -b .coverity
@@ -715,6 +720,8 @@ test -f %{sysconfig_anaconda} && \
Resolves: rhbz#2033372
- Fix several memory leaks
Related: rhbz#2068423
+- Fix gssapi authentication failures
+ Resolves: rhbz#2091023
* Wed Jun 29 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-10
- Set minimal value of RSA key length via configuration option