diff --git a/ChangeLog b/ChangeLog
index 5b1cb2966..30e8d2c44 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,9 @@
    - dtucker@cvs.openbsd.org 2008/06/14 15:49:48
      [sshd.c]
      wrap long line at 80 chars
+   - dtucker@cvs.openbsd.org 2008/06/14 17:07:11
+     [sshd.c]
+     ensure default umask disallows at least group and world write; ok djm@
 
 20080614
  - (djm) [openbsd-compat/sigact.c] Avoid NULL derefs in ancient sigaction
@@ -4376,4 +4379,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.5013 2008/06/15 21:50:24 djm Exp $
+$Id: ChangeLog,v 1.5014 2008/06/15 21:50:58 djm Exp $
diff --git a/sshd.c b/sshd.c
index 5b89231f1..8ebbbee7b 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.361 2008/06/14 15:49:48 dtucker Exp $ */
+/* $OpenBSD: sshd.c,v 1.362 2008/06/14 17:07:11 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1245,6 +1245,7 @@ main(int ac, char **av)
 	int remote_port;
 	char *line, *p, *cp;
 	int config_s[2] = { -1 , -1 };
+	mode_t new_umask;
 	Key *key;
 	Authctxt *authctxt;
 
@@ -1610,6 +1611,10 @@ main(int ac, char **av)
 		rexec_argv[rexec_argc + 1] = NULL;
 	}
 
+	/* Ensure that umask disallows at least group and world write */
+	new_umask = umask(0077) | 0022;
+	(void) umask(new_umask);
+
 	/* Initialize the log (it is reinitialized below in case we forked). */
 	if (debug_flag && (!inetd_flag || rexeced_flag))
 		log_stderr = 1;