diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index de8652b0e..904dd6930 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.25 2021/06/08 22:30:27 djm Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.26 2021/09/30 05:20:08 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="certified host keys"
@@ -131,14 +131,12 @@ attempt_connect() {
 }
 
 # Basic connect and revocation tests.
-for privsep in yes ; do
 	for ktype in $PLAIN_TYPES ; do
-		verbose "$tid: host ${ktype} cert connect privsep $privsep"
+		verbose "$tid: host ${ktype} cert connect"
 		(
 			cat $OBJ/sshd_proxy_bak
 			echo HostKey $OBJ/cert_host_key_${ktype}
 			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-			echo UsePrivilegeSeparation $privsep
 		) > $OBJ/sshd_proxy
 
 		#               test name                         expect success
@@ -160,7 +158,6 @@ for privsep in yes ; do
 		attempt_connect "$ktype CA plaintext revocation"	"no" \
 		    -oRevokedHostKeys=$OBJ/host_revoked_ca
 	done
-done
 
 # Revoked certificates with key present
 kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
@@ -169,14 +166,12 @@ for ktype in $PLAIN_TYPES ; do
 	kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
 done
 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for privsep in yes ; do
 	for ktype in $PLAIN_TYPES ; do
-		verbose "$tid: host ${ktype} revoked cert privsep $privsep"
+		verbose "$tid: host ${ktype} revoked cert"
 		(
 			cat $OBJ/sshd_proxy_bak
 			echo HostKey $OBJ/cert_host_key_${ktype}
 			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-			echo UsePrivilegeSeparation $privsep
 		) > $OBJ/sshd_proxy
 
 		cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
@@ -187,7 +182,6 @@ for privsep in yes ; do
 			fail "ssh cert connect succeeded unexpectedly"
 		fi
 	done
-done
 
 # Revoked CA
 kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index baa6903ea..53d1951d7 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-userkey.sh,v 1.26 2021/02/25 03:27:34 djm Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.27 2021/09/30 05:20:08 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="certified user keys"
@@ -60,14 +60,12 @@ done
 # Test explicitly-specified principals
 for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 	t=$(kname $ktype)
-	for privsep in yes ; do
-		_prefix="${ktype} privsep $privsep"
+		_prefix="${ktype}"
 
 		# Setup for AuthorizedPrincipalsFile
 		rm -f $OBJ/authorized_keys_$USER
 		(
 			cat $OBJ/sshd_proxy_bak
-			echo "UsePrivilegeSeparation $privsep"
 			echo "AuthorizedPrincipalsFile " \
 			    "$OBJ/authorized_principals_%u"
 			echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
@@ -148,7 +146,6 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 		rm -f $OBJ/authorized_principals_$USER
 		(
 			cat $OBJ/sshd_proxy_bak
-			echo "UsePrivilegeSeparation $privsep"
 			echo "PubkeyAcceptedAlgorithms ${t}"
 		) > $OBJ/sshd_proxy
 		(
@@ -179,7 +176,6 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 		if [ $? -ne 0 ]; then
 			fail "ssh cert connect failed"
 		fi
-	done
 done
 
 basic_tests() {
@@ -197,13 +193,11 @@ basic_tests() {
 
 	for ktype in $PLAIN_TYPES ; do
 		t=$(kname $ktype)
-		for privsep in yes ; do
-			_prefix="${ktype} privsep $privsep $auth"
+			_prefix="${ktype} $auth"
 			# Simple connect
 			verbose "$tid: ${_prefix} connect"
 			(
 				cat $OBJ/sshd_proxy_bak
-				echo "UsePrivilegeSeparation $privsep"
 				echo "PubkeyAcceptedAlgorithms ${t}"
 				echo "$extra_sshd"
 			) > $OBJ/sshd_proxy
@@ -222,7 +216,6 @@ basic_tests() {
 			verbose "$tid: ${_prefix} revoked key"
 			(
 				cat $OBJ/sshd_proxy_bak
-				echo "UsePrivilegeSeparation $privsep"
 				echo "RevokedKeys $OBJ/cert_user_key_revoked"
 				echo "PubkeyAcceptedAlgorithms ${t}"
 				echo "$extra_sshd"
@@ -265,7 +258,6 @@ basic_tests() {
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpecedly"
 		fi
-	done
 
 	verbose "$tid: $auth CA does not authenticate"
 	(
diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
index 9549b33a7..222d424bd 100644
--- a/regress/hostkey-agent.sh
+++ b/regress/hostkey-agent.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: hostkey-agent.sh,v 1.12 2021/09/29 01:32:21 djm Exp $
+#	$OpenBSD: hostkey-agent.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="hostkey agent"
@@ -45,7 +45,7 @@ for k in $SSH_KEYTYPES ; do
 		fail "keytype $k failed"
 	fi
 	if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
-		fail "bad SSH_CONNECTION key type $k privsep=$ps"
+		fail "bad SSH_CONNECTION key type $k"
 	fi
 done
 
@@ -78,7 +78,7 @@ for k in $SSH_CERTTYPES ; do
 		fail "cert type $k failed"
 	fi
 	if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
-		fail "bad SSH_CONNECTION key type $k privsep=$ps"
+		fail "bad SSH_CONNECTION key type $k"
 	fi
 done
 
diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh
index 4c2d07dc2..1577da159 100644
--- a/regress/login-timeout.sh
+++ b/regress/login-timeout.sh
@@ -1,9 +1,9 @@
-#	$OpenBSD: login-timeout.sh,v 1.9 2017/08/07 00:53:51 dtucker Exp $
+#	$OpenBSD: login-timeout.sh,v 1.10 2021/09/30 05:20:08 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="connect after login grace timeout"
 
-trace "test login grace with privsep"
+trace "test login grace time"
 cp $OBJ/sshd_config $OBJ/sshd_config.orig
 grep -vi LoginGraceTime $OBJ/sshd_config.orig > $OBJ/sshd_config
 echo "LoginGraceTime 10s" >> $OBJ/sshd_config
diff --git a/regress/principals-command.sh b/regress/principals-command.sh
index a808f9c35..74da09a96 100644
--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: principals-command.sh,v 1.12 2021/09/30 04:22:50 dtucker Exp $
+#	$OpenBSD: principals-command.sh,v 1.13 2021/09/30 05:20:08 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="authorized principals command"
@@ -59,114 +59,110 @@ if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then
 	exit 0
 fi
 
-if [ -x $PRINCIPALS_COMMAND ]; then
-	# Test explicitly-specified principals
-	for privsep in yes ; do
-		_prefix="privsep $privsep"
-
-		# Setup for AuthorizedPrincipalsCommand
-		rm -f $OBJ/authorized_keys_$USER
-		(
-			cat $OBJ/sshd_proxy_bak
-			echo "UsePrivilegeSeparation $privsep"
-			echo "AuthorizedKeysFile none"
-			echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
-			    "%u %t %T %i %s %F %f %k %K"
-			echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
-			echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
-		) > $OBJ/sshd_proxy
-
-		# XXX test missing command
-		# XXX test failing command
-
-		# Empty authorized_principals
-		verbose "$tid: ${_prefix} empty authorized_principals"
-		echo > $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
-		fi
-
-		# Wrong authorized_principals
-		verbose "$tid: ${_prefix} wrong authorized_principals"
-		echo gregorsamsa > $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
-		fi
-
-		# Correct authorized_principals
-		verbose "$tid: ${_prefix} correct authorized_principals"
-		echo mekmitasdigoat > $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -ne 0 ]; then
-			fail "ssh cert connect failed"
-		fi
-
-		# authorized_principals with bad key option
-		verbose "$tid: ${_prefix} authorized_principals bad key opt"
-		echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
-		fi
-
-		# authorized_principals with command=false
-		verbose "$tid: ${_prefix} authorized_principals command=false"
-		echo 'command="false" mekmitasdigoat' > \
-		    $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
-		fi
-
-		# authorized_principals with command=true
-		verbose "$tid: ${_prefix} authorized_principals command=true"
-		echo 'command="true" mekmitasdigoat' > \
-		    $OBJ/authorized_principals_$USER
-		${SSH} -i $OBJ/cert_user_key \
-		    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
-		if [ $? -ne 0 ]; then
-			fail "ssh cert connect failed"
-		fi
-
-		# Setup for principals= key option
-		rm -f $OBJ/authorized_principals_$USER
-		(
-			cat $OBJ/sshd_proxy_bak
-			echo "UsePrivilegeSeparation $privsep"
-		) > $OBJ/sshd_proxy
-
-		# Wrong principals list
-		verbose "$tid: ${_prefix} wrong principals key option"
-		(
-			printf 'cert-authority,principals="gregorsamsa" '
-			cat $OBJ/user_ca_key.pub
-		) > $OBJ/authorized_keys_$USER
-		${SSH} -i $OBJ/cert_user_key \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -eq 0 ]; then
-			fail "ssh cert connect succeeded unexpectedly"
-		fi
-
-		# Correct principals list
-		verbose "$tid: ${_prefix} correct principals key option"
-		(
-			printf 'cert-authority,principals="mekmitasdigoat" '
-			cat $OBJ/user_ca_key.pub
-		) > $OBJ/authorized_keys_$USER
-		${SSH} -i $OBJ/cert_user_key \
-		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-		if [ $? -ne 0 ]; then
-			fail "ssh cert connect failed"
-		fi
-	done
-else
-	echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
+if [ ! -x $PRINCIPALS_COMMAND ]; then
+	skip "$PRINCIPALS_COMMAND not executable " \
 	    "(/var/run mounted noexec?)"
 fi
+
+#Test explicitly-specified principals
+	# Setup for AuthorizedPrincipalsCommand
+	rm -f $OBJ/authorized_keys_$USER
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo "AuthorizedKeysFile none"
+		echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
+		    "%u %t %T %i %s %F %f %k %K"
+		echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
+		echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+	) > $OBJ/sshd_proxy
+
+	# XXX test missing command
+	# XXX test failing command
+
+	# Empty authorized_principals
+	verbose "$tid: empty authorized_principals"
+	echo > $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi
+
+	# Wrong authorized_principals
+	verbose "$tid: wrong authorized_principals"
+	echo gregorsamsa > $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi
+
+	# Correct authorized_principals
+	verbose "$tid: correct authorized_principals"
+	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		fail "ssh cert connect failed"
+	fi
+
+	# authorized_principals with bad key option
+	verbose "$tid: authorized_principals bad key opt"
+	echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi
+
+	# authorized_principals with command=false
+	verbose "$tid: authorized_principals command=false"
+	echo 'command="false" mekmitasdigoat' > \
+	    $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi
+
+
+	# authorized_principals with command=true
+	verbose "$tid: authorized_principals command=true"
+	echo 'command="true" mekmitasdigoat' > \
+	    $OBJ/authorized_principals_$USER
+	${SSH} -i $OBJ/cert_user_key \
+	    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		fail "ssh cert connect failed"
+	fi
+
+	# Setup for principals= key option
+	# TODO: remove?
+	rm -f $OBJ/authorized_principals_$USER
+	(
+		cat $OBJ/sshd_proxy_bak
+	) > $OBJ/sshd_proxy
+
+	# Wrong principals list
+	verbose "$tid: wrong principals key option"
+	(
+		printf 'cert-authority,principals="gregorsamsa" '
+		cat $OBJ/user_ca_key.pub
+	) > $OBJ/authorized_keys_$USER
+	${SSH} -i $OBJ/cert_user_key \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi
+
+	# Correct principals list
+	verbose "$tid: correct principals key option"
+	(
+		printf 'cert-authority,principals="mekmitasdigoat" '
+		cat $OBJ/user_ca_key.pub
+	) > $OBJ/authorized_keys_$USER
+	${SSH} -i $OBJ/cert_user_key \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		fail "ssh cert connect failed"
+	fi