File openssh-7.9p1-gsskex-method--from-fedora-31-gsi-openssh-package-modified-SLE_15_SP1.patch of Package gsi-openssh

diff -Nur openssh-7.9p1.orig/gss-serv.c openssh-7.9p1/gss-serv.c
--- openssh-7.9p1.orig/gss-serv.c	2019-12-10 17:07:03.019776093 +0100
+++ openssh-7.9p1/gss-serv.c	2019-12-10 17:17:00.467484498 +0100
@@ -505,10 +505,12 @@
 
 /* Privileged */
 int
-ssh_gssapi_userok(char *user, struct passwd *pw)
+ssh_gssapi_userok(char *user, struct passwd *pw, int kex)
 {
 	OM_uint32 lmin;
 
+	(void) kex; /* used in privilege separation */
+
 #ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG
 	if (limited && options.gsi_allow_limited_proxy != 1) {
 		debug("limited proxy not acceptable for remote login");
diff -Nur openssh-7.9p1.orig/monitor.c openssh-7.9p1/monitor.c
--- openssh-7.9p1.orig/monitor.c	2019-12-10 17:07:03.019776093 +0100
+++ openssh-7.9p1/monitor.c	2019-12-10 17:17:00.467484498 +0100
@@ -1970,14 +1970,17 @@
 int
 mm_answer_gss_userok(int sock, struct sshbuf *m)
 {
-	int r, authenticated;
+	int r, authenticated, kex;
 	const char *displayname;
 
 	if (!options.gss_authentication && !options.gss_keyex)
 		fatal("%s: GSSAPI authentication not enabled", __func__);
 
+	if ((r = sshbuf_get_u32(m, &kex)) != 0)
+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
 	authenticated = authctxt->valid &&
-	  ssh_gssapi_userok(authctxt->user, authctxt->pw);
+	  ssh_gssapi_userok(authctxt->user, authctxt->pw, kex);
 
 	sshbuf_reset(m);
 	if ((r = sshbuf_put_u32(m, authenticated)) != 0)
@@ -1986,7 +1989,11 @@
 	debug3("%s: sending result %d", __func__, authenticated);
 	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
 
-	auth_method = "gssapi-with-mic";
+	if (kex) {
+		auth_method = "gssapi-keyex";
+	} else {
+		auth_method = "gssapi-with-mic";
+	}
 
 	if ((displayname = ssh_gssapi_displayname()) != NULL)
 		auth2_record_info(authctxt, "%s", displayname);
diff -Nur openssh-7.9p1.orig/monitor_wrap.c openssh-7.9p1/monitor_wrap.c
--- openssh-7.9p1.orig/monitor_wrap.c	2019-12-10 17:07:03.019776093 +0100
+++ openssh-7.9p1/monitor_wrap.c	2019-12-10 17:17:00.467484498 +0100
@@ -1025,13 +1025,15 @@
 }
 
 int
-mm_ssh_gssapi_userok(char *user, struct passwd *pw)
+mm_ssh_gssapi_userok(char *user, struct passwd *pw, int kex)
 {
 	struct sshbuf *m;
 	int r, authenticated = 0;
 
 	if ((m = sshbuf_new()) == NULL)
 		fatal("%s: sshbuf_new failed", __func__);
+	if ((r = sshbuf_put_u32(m, kex)) != 0)
+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
 
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
 	mm_request_receive_expect(pmonitor->m_recvfd,
diff -Nur openssh-7.9p1.orig/monitor_wrap.h openssh-7.9p1/monitor_wrap.h
--- openssh-7.9p1.orig/monitor_wrap.h	2019-12-10 17:07:03.019776093 +0100
+++ openssh-7.9p1/monitor_wrap.h	2019-12-10 17:17:00.467484498 +0100
@@ -62,7 +62,7 @@
 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
    gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
-int mm_ssh_gssapi_userok(char *user, struct passwd *);
+int mm_ssh_gssapi_userok(char *user, struct passwd *, int kex);
 OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
 OM_uint32 mm_ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
 int mm_ssh_gssapi_localname(char **user);
diff -Nur openssh-7.9p1.orig/ssh-gss.h openssh-7.9p1/ssh-gss.h
--- openssh-7.9p1.orig/ssh-gss.h	2019-12-10 17:07:03.027776142 +0100
+++ openssh-7.9p1/ssh-gss.h	2019-12-10 17:17:00.467484498 +0100
@@ -157,7 +157,7 @@
 gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
 int ssh_gssapi_server_check_mech(Gssctxt **, gss_OID, const char *, const char *);
 OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
-int ssh_gssapi_userok(char *name, struct passwd *);
+int ssh_gssapi_userok(char *name, struct passwd *, int kex);
 OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
 void ssh_gssapi_do_child(char ***, u_int *);
 void ssh_gssapi_cleanup_creds(void);