diff --git a/INSTALL b/INSTALL
index d0fa00e6c..814768791 100644
--- a/INSTALL
+++ b/INSTALL
@@ -24,6 +24,10 @@ If you must use a non-position-independent libcrypto, then you may need
 to configure OpenSSH --without-pie.  Note that due to a bug in EVP_CipherInit
 OpenSSL 1.1 versions prior to 1.1.0g can't be used.
 
+To support Privilege Separation (which is now required) you will need
+to create the user, group and directory used by sshd for privilege
+separation.  See README.privsep for details.
+
 The remaining items are optional.
 
 NB. If you operating system supports /dev/random, you should configure
@@ -133,10 +137,6 @@ make install
 This will install the binaries in /opt/{bin,lib,sbin}, but will place the
 configuration files in /etc/ssh.
 
-If you are using Privilege Separation (which is enabled by default)
-then you will also need to create the user, group and directory used by
-sshd for privilege separation.  See README.privsep for details.
-
 If you are using PAM, you may need to manually install a PAM control
 file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
 them).  Note that the service name used to start PAM is __progname,
diff --git a/README.privsep b/README.privsep
index 460e90565..d658c46db 100644
--- a/README.privsep
+++ b/README.privsep
@@ -5,13 +5,10 @@ escalation by containing corruption to an unprivileged process.
 More information is available at:
 	http://www.citi.umich.edu/u/provos/ssh/privsep.html
 
-Privilege separation is now enabled by default; see the
-UsePrivilegeSeparation option in sshd_config(5).
-
-When privsep is enabled, during the pre-authentication phase sshd will
-chroot(2) to "/var/empty" and change its privileges to the "sshd" user
-and its primary group.  sshd is a pseudo-account that should not be
-used by other daemons, and must be locked and should contain a
+Privilege separation is now mandatory.  During the pre-authentication
+phase sshd will chroot(2) to "/var/empty" and change its privileges to the
+"sshd" user and its primary group.  sshd is a pseudo-account that should
+not be used by other daemons, and must be locked and should contain a
 "nologin" or invalid shell.
 
 You should do something like the following to prepare the privsep