diff --git a/harden_sssd-ifp.service.patch b/harden_sssd-ifp.service.patch
new file mode 100644
index 0000000..250a49f
--- /dev/null
+++ b/harden_sssd-ifp.service.patch
@@ -0,0 +1,24 @@
+Index: sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in
+===================================================================
+--- sssd-2.5.2.orig/src/sysv/systemd/sssd-ifp.service.in
++++ sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in
+@@ -5,6 +5,19 @@ After=sssd.service
+ BindsTo=sssd.service
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Environment=DEBUG_LOGGER=--logger=files
+ EnvironmentFile=-@environment_file@
+ Type=dbus
diff --git a/harden_sssd-kcm.service.patch b/harden_sssd-kcm.service.patch
new file mode 100644
index 0000000..183e0b0
--- /dev/null
+++ b/harden_sssd-kcm.service.patch
@@ -0,0 +1,24 @@
+Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
+===================================================================
+--- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in
++++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
+@@ -8,6 +8,19 @@ After=sssd-kcm.socket
+ Also=sssd-kcm.socket
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Environment=DEBUG_LOGGER=--logger=files
+ ExecStartPre=-@sbindir@/sssd --genconf-section=kcm
+ ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER}
diff --git a/sssd-2.5.2.tar.gz b/sssd-2.5.2.tar.gz
deleted file mode 100644
index e911dc2..0000000
--- a/sssd-2.5.2.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f
-size 7579208
diff --git a/sssd-2.5.2.tar.gz.asc b/sssd-2.5.2.tar.gz.asc
deleted file mode 100644
index 5649c67..0000000
--- a/sssd-2.5.2.tar.gz.asc
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEGkHcZ1BfiaMwgotmr/513ehQjhIFAmDsmCgACgkQr/513ehQ
-jhJgLAf/WNPCzxImSpydiqCw0utxcDj/zcfufOU5tciVGP2Dg6O6+jf21Tl1IzE0
-dNDloUH6iyIOATWryirveaEIBEpz/8H66bOFEuw+eOY5mnMz+xsI879lvno7KsHj
-RsJjxSKjLktvOgOb+vYDciRS6Au3AaKCIPP0v5S3LEZtsHlDG6CwoWI7wEN9XN0r
-/VYo0HG0TIkY2eIfi6pqcr25JzOqTQH3NUW8VbqFWWC7h1XFEBpiftIvHZLrqblP
-CtHbkdRA8j6u5J285H4g/9Oj/7wtlDOXvkobGdM9MwS5jjKg0XBJJ3A6uHZ5GTX5
-/ppVxE/WCrZliqxpjP/+BHkaY3DMzA==
-=2Ag7
------END PGP SIGNATURE-----
diff --git a/sssd-2.6.1.tar.gz b/sssd-2.6.1.tar.gz
new file mode 100644
index 0000000..038ed1f
--- /dev/null
+++ b/sssd-2.6.1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:81d41881d0d1f120717ea80e75daca357e40ccbd0d656eb9f99b5824d59e594d
+size 7454377
diff --git a/sssd-2.6.1.tar.gz.asc b/sssd-2.6.1.tar.gz.asc
new file mode 100644
index 0000000..15050d4
--- /dev/null
+++ b/sssd-2.6.1.tar.gz.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEGkHcZ1BfiaMwgotmr/513ehQjhIFAmGKkxIACgkQr/513ehQ
+jhIkZQgAiFmf+DwcwhY5Qirw7NDgm+6Pmn2uDlSiMfE7B5v/8x0PdnYrnXUGP/qq
+Y7G6txMYvvMPZU8qW0sGR2RDWQj7BavVx2tdkCwPcBBFAUkfgwrBoJ8du8NucK7i
+VF3jS8KlPfSXfqPPb6LD4V3ia2WhplqKh3q9ewNkpolTfdiayvtQcHkYeZEHb2qD
+WI9cICkWzUDpzvaGt3ENbIM+h1SLYv9R/mUlXUrNTZsU+14AhCaUu3PlOBbOhQyU
+cUT6XrwejhZVQIgPDd1FPOlrf2DIe0OMWd6KWVyvI8ULHnUPQ/s0svj39P3fnWTH
+EdetPb/xJWmDcej2+HsUXo2JTC3pIA==
+=jbK/
+-----END PGP SIGNATURE-----
diff --git a/sssd.changes b/sssd.changes
index 0dc0835..c52be41 100644
--- a/sssd.changes
+++ b/sssd.changes
@@ -1,3 +1,32 @@
+-------------------------------------------------------------------
+Tue Nov 23 16:11:48 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_sssd-ifp.service.patch
+  * harden_sssd-kcm.service.patch
+
+-------------------------------------------------------------------
+Tue Nov  9 15:35:58 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 2.6.1
+  * New infopipe method FindByValidCertificate().
+  * The default value of the "ssh_hash_known_hosts" setting was
+    changed to false for the sake of consistency with OpenSSH
+    that does not hash host names by default.
+
+-------------------------------------------------------------------
+Fri Oct 15 13:41:13 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 2.6.0
+  * Support of legacy json format for ccaches was dropped.
+  * Support of long time deprecated secrets responder was dropped.
+  * Support of long time deprecated local provider was dropped.
+  * The sssctl command was vulnerable to shell command injection
+    via the logs-fetch and cache-expire subcommands,
+    which was fixed.
+  * Basic support of user's 'subuid and subgid ranges' for IPA
+    provider and corresponding plugin for shadow-utils were added.
+
 -------------------------------------------------------------------
 Mon Jul 12 19:45:37 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
 
diff --git a/sssd.spec b/sssd.spec
index 34c7e29..63d8953 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package sssd
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           sssd
-Version:        2.5.2
+Version:        2.6.1
 Release:        0
 Summary:        System Security Services Daemon
 License:        GPL-3.0-or-later and LGPL-3.0-or-later
@@ -29,25 +29,8 @@ Source2:        https://github.com/SSSD/sssd/releases/download/%version/%name-%v
 Source3:        baselibs.conf
 Source5:        %name.keyring
 Patch1:         krb-noversion.diff
-
-%define servicename	sssd
-%define sssdstatedir	%_localstatedir/lib/sss
-%define dbpath		%sssdstatedir/db
-%define pipepath	%sssdstatedir/pipes
-%define pubconfpath	%sssdstatedir/pubconf
-%define gpocachepath	%sssdstatedir/gpo_cache
-
-# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
-# /etc/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
-# * cifs-utils one is the default (priority 20)
-# * installing SSSD should NOT switch to SSSD plugin (priority 10)
-%define cifs_idmap_plugin       %_sysconfdir/cifs-utils/idmap-plugin
-%define cifs_idmap_lib          %_libdir/cifs-utils/cifs_idmap_sss.so
-%define cifs_idmap_name         cifs-idmap-plugin
-%define cifs_idmap_priority     10
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
-
+Patch2:	harden_sssd-ifp.service.patch
+Patch3:	harden_sssd-kcm.service.patch
 BuildRequires:  autoconf >= 2.59
 BuildRequires:  automake
 BuildRequires:  bind-utils
@@ -59,6 +42,7 @@ BuildRequires:  krb5-devel >= 1.12
 BuildRequires:  libcmocka-devel
 BuildRequires:  libsmbclient-devel
 BuildRequires:  libtool
+BuildRequires:  libunistring-devel
 BuildRequires:  libxml2-tools
 BuildRequires:  libxslt-tools
 BuildRequires:  nscd
@@ -81,7 +65,7 @@ BuildRequires:  pkgconfig(libcrypto)
 BuildRequires:  pkgconfig(libnfsidmap)
 BuildRequires:  pkgconfig(libnl-3.0) >= 3.0
 BuildRequires:  pkgconfig(libnl-route-3.0) >= 3.0
-BuildRequires:  pkgconfig(libpcre) >= 7
+BuildRequires:  pkgconfig(libpcre2-8)
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  pkgconfig(ndr_krb5pac)
 BuildRequires:  pkgconfig(ndr_nbt)
@@ -99,6 +83,24 @@ Provides:       libsss_sudo = %version-%release
 Provides:       sssd-client = %version-%release
 Obsoletes:      libsss_sudo < %version-%release
 
+%define servicename	sssd
+%define sssdstatedir	%_localstatedir/lib/sss
+%define dbpath		%sssdstatedir/db
+%define pipepath	%sssdstatedir/pipes
+%define pubconfpath	%sssdstatedir/pubconf
+%define gpocachepath	%sssdstatedir/gpo_cache
+
+# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
+# /etc/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
+# * cifs-utils one is the default (priority 20)
+# * installing SSSD should NOT switch to SSSD plugin (priority 10)
+%define cifs_idmap_plugin       %_sysconfdir/cifs-utils/idmap-plugin
+%define cifs_idmap_lib          %_libdir/cifs-utils/cifs_idmap_sss.so
+%define cifs_idmap_name         cifs-idmap-plugin
+%define cifs_idmap_priority     10
+Requires(post): update-alternatives
+Requires(postun): update-alternatives
+
 %description
 Provides a set of daemons to manage access to remote directories and
 authentication mechanisms. It provides an NSS and PAM interface toward
@@ -363,15 +365,11 @@ Security Services Daemon (sssd).
 
 %build
 export LDB_DIR="$(pkg-config ldb --variable=modulesdir)"
-
 # help configure find nscd
 export PATH="$PATH:/usr/sbin"
 
 autoreconf -fiv
-export CFLAGS="%optflags -fPIE"
-export LDFLAGS="-pie"
 %configure \
-    --with-crypto=libcrypto \
     --with-db-path="%dbpath" \
     --with-pipe-path="%pipepath" \
     --with-pubconf-path="%pubconfpath" \
@@ -394,16 +392,12 @@ export LDFLAGS="-pie"
 
 %install
 # sss_obfuscate is compatible with both python 2 and 3
-sed -i -e 's:%_bindir/python:%_bindir/python3:' src/tools/sss_obfuscate
-
+perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
 %make_install
 b="%buildroot"
 
-#for i in cs cs/man8 nl nl/man8 pt pt/man8 uk uk/man1 uk/man5 uk/man8; do
-#	mkdir -p "$b/%_mandir/$i"
-#done
 # Copy some defaults
-mkdir -p "$b/%_sysconfdir/sssd" "$b/%_sysconfdir/sssd/conf.d"
+mkdir -pv "$b/%_sysconfdir/sssd" "$b/%_sysconfdir/sssd/conf.d"
 install -m600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"
 install -d "$b/%_unitdir"
 install -d "$b/%_sysconfdir/logrotate.d"
@@ -415,7 +409,7 @@ find "$b" -type f -name "*.la" -print -delete
 %find_lang %name --all-name
 
 # dummy target for cifs-idmap-plugin
-mkdir -p %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils
+mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils
 ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin
 
 %check
@@ -513,7 +507,6 @@ fi
 %_mandir/??/man5/sssd-ad.5*
 %_mandir/??/man5/sssd-files.5*
 %_mandir/??/man5/sssd-ldap-attributes.5*
-%_mandir/??/man5/sssd-secrets.5*
 %_mandir/??/man5/sssd-session-recording.5*
 %_mandir/??/man5/sssd-simple.5*
 %_mandir/??/man5/sssd-sudo.5*
@@ -578,7 +571,6 @@ fi
 %_datadir/%name/cfg_rules.ini
 %_datadir/%name/sssd.api.conf
 %dir %_datadir/%name/sssd.api.d/
-%_datadir/%name/sssd.api.d/sssd-local.conf
 %_datadir/%name/sssd.api.d/sssd-simple.conf
 %_datadir/%name/sssd.api.d/sssd-files.conf
 #
@@ -591,6 +583,7 @@ fi
 %_libdir/%name/modules/sssd_krb5_localauth_plugin.so
 %_mandir/??/man8/sssd_krb5_locator_plugin.8*
 %_mandir/??/man8/pam_sss.8*
+%_mandir/??/man8/pam_sss_gss.8*
 %_mandir/man8/pam_sss.8*
 %_mandir/man8/pam_sss_gss.8*
 %_mandir/man8/sssd_krb5_locator_plugin.8*
@@ -642,7 +635,6 @@ fi
 %dir %_libexecdir/sssd/
 %_libexecdir/sssd/sssd_kcm
 %dir %_libdir/sssd/
-%_libdir/sssd/libsss_secrets.so
 %_mandir/man8/sssd-kcm.8*
 %_mandir/??/man8/sssd-kcm.8*
 %_datadir/sssd-kcm/
@@ -698,6 +690,7 @@ fi
 %_mandir/??/man8/sss_*.8*
 %_mandir/man8/sssctl.8*
 %_mandir/man8/sss_*.8*
+%python3_sitelib/sssd/
 
 %files winbind-idmap
 %_libdir/samba/