diff --git a/ChangeLog b/ChangeLog
index d0b761fec..b83507e01 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+20010418
+ - OpenBSD CVS Sync                            
+   - markus@cvs.openbsd.org 2001/04/17 19:34:25
+     [session.c]                               
+     move auth_approval to do_authenticated(). 
+     do_child(): nuke hostkeys from memory     
+     don't source .ssh/rc for subsystems.      
 20010417
   - (bal) Add perl5 check for HP/UX, Removed GNUness from Makefile.in
     and temporary commented out 'catman-do:' since it is broken.  Patches
@@ -5145,4 +5152,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1135 2001/04/17 18:14:34 mouring Exp $
+$Id: ChangeLog,v 1.1136 2001/04/18 15:29:33 mouring Exp $
diff --git a/session.c b/session.c
index 4580c3025..3960c9f25 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.73 2001/04/16 08:19:31 djm Exp $");
+RCSID("$OpenBSD: session.c,v 1.74 2001/04/17 19:34:25 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -140,8 +140,8 @@ extern char *__progname;
 extern int log_stderr;
 extern int debug_flag;
 extern u_int utmp_len;
-
 extern int startup_pipe;
+extern void destroy_sensitive_data(void);
 
 /* Local Xauthority file. */
 static char *xauthfile;
@@ -179,6 +179,12 @@ do_authenticated(Authctxt *authctxt)
 		error("unable to get login class");
 		return;
 	}
+#ifdef BSD_AUTH
+	if (auth_approval(NULL, lc, authctxt->pw->pw_name, "ssh") <= 0) {
+		packet_disconnect("Approval failure for %s",
+		    authctxt->pw->pw_name);
+	}
+#endif
 #endif
 	/* setup the channel layer */
 	if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
@@ -1050,6 +1056,9 @@ do_child(Session *s, const char *command)
 #endif /* WITH_IRIX_ARRAY */
 #endif /* WITH_IRIX_JOBS */
 
+	/* remove hostkey from the child's memory */
+	destroy_sensitive_data();
+
 	/* login(1) is only called if we execute the login shell */
 	if (options.use_login && command != NULL)
 		options.use_login = 0;
@@ -1097,13 +1106,6 @@ do_child(Session *s, const char *command)
 				perror("unable to set user context");
 				exit(1);
 			}
-#ifdef BSD_AUTH
-			if (auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) {
-				error("approval failure for %s", pw->pw_name);
-				fprintf(stderr, "Approval failure");
-				exit(1);
-			}
-#endif
 # else /* HAVE_LOGIN_CAP */
 #if defined(HAVE_GETLUID) && defined(HAVE_SETLUID)
 			/* Sets login uid for accounting */
@@ -1389,7 +1391,8 @@ do_child(Session *s, const char *command)
 	 * in this order).
 	 */
 	if (!options.use_login) {
-		if (stat(_PATH_SSH_USER_RC, &st) >= 0) {
+		/* ignore _PATH_SSH_USER_RC for subsystems */
+		if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
 			if (debug_flag)
 				fprintf(stderr, "Running %s %s\n", _PATH_BSHELL,
 				    _PATH_SSH_USER_RC);