diff --git a/ChangeLog b/ChangeLog
index 8ed0d7377..a00e4ea18 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -21,6 +21,9 @@
       sshconnect1.c sshconnect2.c ssh-keysign.8 ssh-keysign.c Makefile.in]
      add /usr/libexec/ssh-keysign: a setuid helper program for hostbased 
      authentication in protocol v2 (needs to access the hostkeys).
+   - markus@cvs.openbsd.org 2002/05/23 19:39:34
+     [ssh.c]
+     add comment about ssh-keysign
 
 20020604
  - (stevesk) [channels.c] bug #164 patch from YOSHIFUJI Hideaki (changed
@@ -705,4 +708,4 @@
  - (stevesk) entropy.c: typo in debug message
  - (djm) ssh-keygen -i needs seeded RNG; report from markus@
 
-$Id: ChangeLog,v 1.2149 2002/06/06 19:57:33 mouring Exp $
+$Id: ChangeLog,v 1.2150 2002/06/06 19:58:27 mouring Exp $
diff --git a/ssh.c b/ssh.c
index 2e479d521..0afdba7b5 100644
--- a/ssh.c
+++ b/ssh.c
@@ -40,7 +40,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.173 2002/05/23 19:24:30 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.174 2002/05/23 19:39:34 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -683,6 +683,8 @@ again:
 	 * in case we will need it later for combined rsa-rhosts
 	 * authentication. This must be done before releasing extra
 	 * privileges, because the file is only readable by root.
+	 * If we cannot access the private keys, load the public keys
+	 * instead and try to execute the ssh-keysign helper instead.
 	 */
 	sensitive_data.nkeys = 0;
 	sensitive_data.keys = NULL;