--- /dev/null
+Index: auth-pam.c
+===================================================================
+RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v
+retrieving revision 1.97
+diff -u -p -r1.97 auth-pam.c
+--- auth-pam.c 4 Mar 2004 09:03:54 -0000 1.97
++++ auth-pam.c 4 Mar 2004 10:53:12 -0000
+@@ -160,7 +160,7 @@ static int sshpam_session_open = 0;
+ static int sshpam_cred_established = 0;
+ static int sshpam_account_status = -1;
+ static char **sshpam_env = NULL;
+-static int *force_pwchange;
++static Authctxt *the_authctxt = NULL;
+
+ /* Some PAM implementations don't implement this */
+ #ifndef HAVE_PAM_GETENVLIST
+@@ -180,7 +180,9 @@ void
+ pam_password_change_required(int reqd)
+ {
+ debug3("%s %d", __func__, reqd);
+- *force_pwchange = reqd;
++ if (the_authctxt == NULL)
++ fatal("%s: PAM authctxt not initialized", __func__);
++ the_authctxt->force_pwchange = reqd;
+ if (reqd) {
+ no_port_forwarding_flag |= 2;
+ no_agent_forwarding_flag |= 2;
+@@ -339,6 +341,9 @@ sshpam_thread(void *ctxtp)
+ sshpam_conv.conv = sshpam_thread_conv;
+ sshpam_conv.appdata_ptr = ctxt;
+
++ if (the_authctxt == NULL)
++ fatal("%s: PAM authctxt not initialized", __func__);
++
+ buffer_init(&buffer);
+ sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
+ (const void *)&sshpam_conv);
+@@ -351,7 +356,7 @@ sshpam_thread(void *ctxtp)
+ if (compat20) {
+ if (!do_pam_account())
+ goto auth_fail;
+- if (*force_pwchange) {
++ if (the_authctxt->force_pwchange) {
+ sshpam_err = pam_chauthtok(sshpam_handle,
+ PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (sshpam_err != PAM_SUCCESS)
+@@ -365,7 +370,7 @@ sshpam_thread(void *ctxtp)
+ #ifndef USE_POSIX_THREADS
+ /* Export variables set by do_pam_account */
+ buffer_put_int(&buffer, sshpam_account_status);
+- buffer_put_int(&buffer, *force_pwchange);
++ buffer_put_int(&buffer, the_authctxt->force_pwchange);
+
+ /* Export any environment strings set in child */
+ for(i = 0; environ[i] != NULL; i++)
+@@ -446,11 +451,11 @@ sshpam_cleanup(void)
+ }
+
+ static int
+-sshpam_init(const char *user)
++sshpam_init(Authctxt *authctxt)
+ {
+ extern u_int utmp_len;
+ extern char *__progname;
+- const char *pam_rhost, *pam_user;
++ const char *pam_rhost, *pam_user, *user = authctxt->user;
+
+ if (sshpam_handle != NULL) {
+ /* We already have a PAM context; check if the user matches */
+@@ -464,6 +469,8 @@ sshpam_init(const char *user)
+ debug("PAM: initializing for \"%s\"", user);
+ sshpam_err =
+ pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle);
++ the_authctxt = authctxt;
++
+ if (sshpam_err != PAM_SUCCESS) {
+ pam_end(sshpam_handle, sshpam_err);
+ sshpam_handle = NULL;
+@@ -506,7 +513,7 @@ sshpam_init_ctx(Authctxt *authctxt)
+ return NULL;
+
+ /* Initialize PAM */
+- if (sshpam_init(authctxt->user) == -1) {
++ if (sshpam_init(authctxt) == -1) {
+ error("PAM: initialization failed");
+ return (NULL);
+ }
+@@ -514,8 +521,6 @@ sshpam_init_ctx(Authctxt *authctxt)
+ ctxt = xmalloc(sizeof *ctxt);
+ memset(ctxt, 0, sizeof(*ctxt));
+
+- force_pwchange = &(authctxt->force_pwchange);
+-
+ /* Start the authentication thread */
+ if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
+ error("PAM: failed create sockets: %s", strerror(errno));
+@@ -674,12 +679,12 @@ KbdintDevice mm_sshpam_device = {
+ * This replaces auth-pam.c
+ */
+ void
+-start_pam(const char *user)
++start_pam(Authctxt *authctxt)
+ {
+ if (!options.use_pam)
+ fatal("PAM: initialisation requested when UsePAM=no");
+
+- if (sshpam_init(user) == -1)
++ if (sshpam_init(authctxt) == -1)
+ fatal("PAM: initialisation failed");
+ }
+
+Index: auth-pam.h
+===================================================================
+RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.h,v
+retrieving revision 1.24
+diff -u -p -r1.24 auth-pam.h
+--- auth-pam.h 10 Feb 2004 02:23:29 -0000 1.24
++++ auth-pam.h 1 Mar 2004 07:32:06 -0000
+@@ -31,7 +31,7 @@
+ # define SSHD_PAM_SERVICE __progname
+ #endif
+
+-void start_pam(const char *);
++void start_pam(Authctxt *);
+ void finish_pam(void);
+ u_int do_pam_account(void);
+ void do_pam_session(void);
+Index: auth1.c
+===================================================================
+RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth1.c,v
+retrieving revision 1.96
+diff -u -p -r1.96 auth1.c
+--- auth1.c 22 Nov 2003 03:15:30 -0000 1.96
++++ auth1.c 1 Mar 2004 07:32:06 -0000
+@@ -307,7 +307,7 @@ do_authentication(Authctxt *authctxt)
+
+ #ifdef USE_PAM
+ if (options.use_pam)
+- PRIVSEP(start_pam(user));
++ PRIVSEP(start_pam(authctxt));
+ #endif
+
+ /*
+Index: auth2.c
+===================================================================
+RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2.c,v
+retrieving revision 1.126
+diff -u -p -r1.126 auth2.c
+--- auth2.c 17 Nov 2003 10:13:41 -0000 1.126
++++ auth2.c 1 Mar 2004 07:32:06 -0000
+@@ -150,24 +150,24 @@ input_userauth_request(int type, u_int32
+ if (authctxt->attempt++ == 0) {
+ /* setup auth context */
+ authctxt->pw = PRIVSEP(getpwnamallow(user));
++ authctxt->user = xstrdup(user);
+ if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
+ authctxt->valid = 1;
+ debug2("input_userauth_request: setting up authctxt for %s", user);
+ #ifdef USE_PAM
+ if (options.use_pam)
+- PRIVSEP(start_pam(authctxt->pw->pw_name));
++ PRIVSEP(start_pam(authctxt));
+ #endif
+ } else {
+ logit("input_userauth_request: illegal user %s", user);
+ authctxt->pw = fakepw();
+ #ifdef USE_PAM
+ if (options.use_pam)
+- PRIVSEP(start_pam(user));
++ PRIVSEP(start_pam(authctxt));
+ #endif
+ }
+ setproctitle("%s%s", authctxt->pw ? user : "unknown",
+ use_privsep ? " [net]" : "");
+- authctxt->user = xstrdup(user);
+ authctxt->service = xstrdup(service);
+ authctxt->style = style ? xstrdup(style) : NULL;
+ if (use_privsep)
+Index: monitor.c
+===================================================================
+RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor.c,v
+retrieving revision 1.64
+diff -u -p -r1.64 monitor.c
+--- monitor.c 6 Feb 2004 05:40:27 -0000 1.64
++++ monitor.c 4 Mar 2004 09:44:54 -0000
+@@ -782,16 +782,10 @@ mm_answer_skeyrespond(int socket, Buffer
+ int
+ mm_answer_pam_start(int socket, Buffer *m)
+ {
+- char *user;
+-
+ if (!options.use_pam)
+ fatal("UsePAM not set, but ended up in %s anyway", __func__);
+
+- user = buffer_get_string(m, NULL);
+-
+- start_pam(user);
+-
+- xfree(user);
++ start_pam(authctxt);
+
+ monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);
+
+Index: monitor_wrap.c
+===================================================================
+RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor_wrap.c,v
+retrieving revision 1.40
+diff -u -p -r1.40 monitor_wrap.c
+--- monitor_wrap.c 21 Nov 2003 12:56:47 -0000 1.40
++++ monitor_wrap.c 4 Mar 2004 10:06:58 -0000
+@@ -686,7 +686,7 @@ mm_session_pty_cleanup2(Session *s)
+
+ #ifdef USE_PAM
+ void
+-mm_start_pam(char *user)
++mm_start_pam(Authctxt *authctxt)
+ {
+ Buffer m;
+
+@@ -695,8 +695,6 @@ mm_start_pam(char *user)
+ fatal("UsePAM=no, but ended up in %s anyway", __func__);
+
+ buffer_init(&m);
+- buffer_put_cstring(&m, user);
+-
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, &m);
+
+ buffer_free(&m);
+Index: monitor_wrap.h
+===================================================================
+RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor_wrap.h,v
+retrieving revision 1.17
+diff -u -p -r1.17 monitor_wrap.h
+--- monitor_wrap.h 17 Nov 2003 11:18:22 -0000 1.17
++++ monitor_wrap.h 4 Mar 2004 09:55:57 -0000
+@@ -66,7 +66,7 @@ OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt
+ #endif
+
+ #ifdef USE_PAM
+-void mm_start_pam(char *);
++void mm_start_pam(struct Authctxt *);
+ u_int mm_do_pam_account(void);
+ void *mm_sshpam_init_ctx(struct Authctxt *);
+ int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);