diff --git a/ChangeLog b/ChangeLog
index 4279d956a..18cc5ebfb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
 20010117
  - (djm) Only write random seed file at exit
+ - (djm) Make PAM support optional, enable with --with-pam
+ - (djm) Try to use libcrypt on Linux, but link it after OpenSSL (which 
+   provides a crypt() of its own)
+ - (djm) Avoid a warning in bsd-bindresvport.c
+ - (djm) Try to avoid adding -I/usr/include to CPPFLAGS during SSL tests. This
+   can cause weird segfaults errors on Solaris 
 
 20010115
  - (bal) sftp-server.c change to use chmod() if fchmod() does not exist.
diff --git a/acconfig.h b/acconfig.h
index e2c34317d..439a7ba1c 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -66,8 +66,8 @@
 /* Define if you are on NEWS-OS */
 #undef HAVE_NEWS4
 
-/* Define if you want to disable PAM support */
-#undef DISABLE_PAM
+/* Define if you want to enable PAM support */
+#undef USE_PAM
 
 /* Define if you want to enable AIX4's authenticate function */
 #undef WITH_AIXAUTHENTICATE
diff --git a/bsd-bindresvport.c b/bsd-bindresvport.c
index 536a5056f..7faf73191 100644
--- a/bsd-bindresvport.c
+++ b/bsd-bindresvport.c
@@ -88,6 +88,9 @@ bindresvport_af(sd, sa, af)
 	if (port == 0)
 		port = (arc4random() % NPORTS) + STARTPORT;
 
+	/* Avoid warning */
+	error = -1;
+
 	for(i = 0; i < NPORTS; i++) {
 		*portp = htons(port);
 		
diff --git a/configure.in b/configure.in
index 82cb5d4bd..0dd8c0043 100644
--- a/configure.in
+++ b/configure.in
@@ -62,12 +62,10 @@ case "$host" in
 *-*-cygwin*)
 	LIBS="$LIBS -lregex /usr/lib/textmode.o"
 	AC_DEFINE(HAVE_CYGWIN)
-	AC_DEFINE(DISABLE_PAM)
 	AC_DEFINE(DISABLE_SHADOW)
 	AC_DEFINE(IPV4_DEFAULT)
 	AC_DEFINE(IP_TOS_IS_BROKEN)
 	AC_DEFINE(BROKEN_VHANGUP)
-	no_pam=1
 	no_libsocket=1
 	no_libnsl=1
 	;;
@@ -122,6 +120,7 @@ case "$host" in
 	;;
 *-*-linux*)
 	no_dev_ptmx=1
+	check_for_libcrypt_later=1
 	AC_DEFINE(DONT_TRY_OTHER_AF)
 	AC_DEFINE(PAM_TTY_KLUDGE)
 	inet6_default_4in6=yes
@@ -368,27 +367,30 @@ fi
 
 AC_FUNC_GETPGRP
 
+# Check for PAM libs
 PAM_MSG="no"
 AC_ARG_WITH(pam,
-	[  --without-pam           Disable PAM support ],
+	[  --with-pam              Enable PAM support ],
 	[
-		if test "x$withval" = "xno" ; then
-			no_pam=1
-			AC_DEFINE(DISABLE_PAM)
-			PAM_MSG="disabled"
+		if test "x$withval" != "xno" ; then
+			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" ; then
+				AC_MSG_ERROR([PAM headers not found])
+			fi
+
+			AC_CHECK_LIB(dl, dlopen, , )
+			AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing]))
+			AC_CHECK_FUNCS(pam_getenvlist)
+
+			disable_shadow=yes
+			PAM_MSG="yes"
+
+			AC_DEFINE(USE_PAM)
 		fi
 	]
 )
-if (test -z "$no_pam" && test "x$ac_cv_header_security_pam_appl_h" = "xyes") ; then
-	AC_CHECK_LIB(dl, dlopen, , )
-	LIBS="$LIBS -lpam"
-
-	AC_CHECK_FUNCS(pam_getenvlist)
-
-	disable_shadow=yes
-
-	PAM_MSG="yes"
 
+# Check for older PAM
+if test "x$PAM_MSG" = "xyes" ; then
 	# Check PAM strerror arguments (old PAM)
 	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
 	AC_TRY_COMPILE(
@@ -403,7 +405,7 @@ if (test -z "$no_pam" && test "x$ac_cv_header_security_pam_appl_h" = "xyes") ; t
 			AC_MSG_RESULT(yes)
 			PAM_MSG="yes (old library)"
 		]
-	) 
+	)
 fi
 
 # The big search for OpenSSL
@@ -425,7 +427,7 @@ fi
 AC_CACHE_CHECK([for OpenSSL directory], ac_cv_openssldir, [
 
 	for ssldir in $tryssldir "" /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do
-		if test ! -z "$ssldir" ; then
+		if test ! -z "$ssldir" -a "x$ssldir" != "x/usr"; then
 			LDFLAGS="$saved_LDFLAGS -L$ssldir/lib -L$ssldir"
 			CPPFLAGS="$saved_CPPFLAGS -I$ssldir/include"
 			if test ! -z "$need_dash_r" ; then
@@ -476,13 +478,16 @@ if (test ! -z "$ac_cv_openssldir" && test "x$ac_cv_openssldir" != "x(system)") ;
 	AC_DEFINE(HAVE_OPENSSL)
 	dnl Need to recover ssldir - test above runs in subshell
 	ssldir=$ac_cv_openssldir
-	CPPFLAGS="$saved_CPPFLAGS -I$ssldir/include"
-	LDFLAGS="$saved_LDFLAGS -L$ssldir/lib -L$ssldir"
-	if test ! -z "$need_dash_r" ; then
-		LDFLAGS="$LDFLAGS -R$ssldir/lib -R$ssldir"
-	fi
-	if test ! -z "$blibpath" ; then
-		blibpath="$blibpath:$ssldir:$ssldir/lib"
+
+	if test ! -z "$ssldir" -a "x$ssldir" != "x/usr"; then
+		CPPFLAGS="$saved_CPPFLAGS -I$ssldir/include"
+		LDFLAGS="$saved_LDFLAGS -L$ssldir/lib -L$ssldir"
+		if test ! -z "$need_dash_r" ; then
+			LDFLAGS="$LDFLAGS -R$ssldir/lib -R$ssldir"
+		fi
+		if test ! -z "$blibpath" ; then
+			blibpath="$blibpath:$ssldir:$ssldir/lib"
+		fi
 	fi
 fi
 LIBS="$saved_LIBS -lcrypto"
@@ -537,6 +542,12 @@ else
 	fi
 fi
 
+# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the 
+# version in OpenSSL. Skip this for PAM
+if test "x$PAM_MSG" = "xno" -a "x$check_for_libcrypt_later" = "x1"; then
+	AC_CHECK_LIB(crypt, crypt, , )
+fi
+
 # Cheap hack to ensure NEWS-OS libraries are arranged right.
 if test ! -z "$SONY" ; then
   LIBS="$LIBS -liberty";
diff --git a/defines.h b/defines.h
index 79aab5ab6..26c532c92 100644
--- a/defines.h
+++ b/defines.h
@@ -332,10 +332,6 @@ struct winsize {
 # define __attribute__(x)
 #endif /* !defined(__GNUC__) || (__GNUC__ < 2) */
 
-#if defined(HAVE_SECURITY_PAM_APPL_H) && !defined(DISABLE_PAM)
-# define USE_PAM
-#endif /* defined(HAVE_SECURITY_PAM_APPL_H) && !defined(DISABLE_PAM) */
-
 #ifndef SUN_LEN
 #define SUN_LEN(su) \
         (sizeof(*(su)) - sizeof((su)->sun_path) + strlen((su)->sun_path))