2 files changed, 16 insertions, 9 deletions

diff --git a/ChangeLog b/ChangeLog
index 1fbc6a20f..9bbf02bed 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+20061107
+ - (dtucker) [sshd.c] Use privsep_pw if we have it, but only require it
+   if we absolutely need it.  Pointed out by Corinna, ok djm@
+
 20061105
  - (djm) OpenBSD CVS Sync
    - otto@cvs.openbsd.org 2006/10/28 18:08:10
@@ -2588,4 +2592,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.4583 2006/11/04 18:32:02 djm Exp $
+$Id: ChangeLog,v 1.4584 2006/11/07 00:28:40 dtucker Exp $
diff --git a/sshd.c b/sshd.c
index 06ec03b20..a5fa9e4eb 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1431,14 +1431,17 @@ main(int ac, char **av)
 
         debug("sshd version %.100s", SSH_RELEASE);
 
-        /* Store privilege separation user for later use */
-        if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL)
-                fatal("Privilege separation user %s does not exist",
-                    SSH_PRIVSEP_USER);
-        memset(privsep_pw->pw_passwd, 0, strlen(privsep_pw->pw_passwd));
-        privsep_pw = pwcopy(privsep_pw);
-        xfree(privsep_pw->pw_passwd);
-        privsep_pw->pw_passwd = xstrdup("*");
+        /* Store privilege separation user for later use if required. */
+        if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
+                if (use_privsep || options.kerberos_authentication)
+                        fatal("Privilege separation user %s does not exist",
+                            SSH_PRIVSEP_USER);
+        } else {
+                memset(privsep_pw->pw_passwd, 0, strlen(privsep_pw->pw_passwd));
+                privsep_pw = pwcopy(privsep_pw);
+                xfree(privsep_pw->pw_passwd);
+                privsep_pw->pw_passwd = xstrdup("*");
+        }
         endpwent();
 
         /* load private host keys */