diff --git a/openssh-4.3p2-pam-session.patch b/openssh-4.3p2-pam-session.patch
new file mode 100644
index 0000000..7cdd90c
--- /dev/null
+++ b/openssh-4.3p2-pam-session.patch
@@ -0,0 +1,91 @@
+Index: auth-pam.c
+===================================================================
+RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v
+retrieving revision 1.134
+diff -u -p -r1.134 auth-pam.c
+--- auth-pam.c	15 May 2006 07:22:33 -0000	1.134
++++ auth-pam.c	22 May 2006 08:50:59 -0000
+@@ -573,15 +573,17 @@ static struct pam_conv store_conv = { ss
+ void
+ sshpam_cleanup(void)
+ {
+-	debug("PAM: cleanup");
+-	if (sshpam_handle == NULL)
++	if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
+ 		return;
++	debug("PAM: cleanup");
+ 	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
+ 	if (sshpam_cred_established) {
++		debug("PAM: deleting credentials");
+ 		pam_setcred(sshpam_handle, PAM_DELETE_CRED);
+ 		sshpam_cred_established = 0;
+ 	}
+ 	if (sshpam_session_open) {
++		debug("PAM: closing session");
+ 		pam_close_session(sshpam_handle, PAM_SILENT);
+ 		sshpam_session_open = 0;
+ 	}
+Index: monitor.c
+===================================================================
+RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor.c,v
+retrieving revision 1.104
+diff -u -p -r1.104 monitor.c
+--- monitor.c	21 May 2006 08:26:40 -0000	1.104
++++ monitor.c	22 May 2006 08:37:58 -0000
+@@ -354,6 +354,10 @@ monitor_child_preauth(Authctxt *_authctx
+ 				    MONITOR_REQ_PAM_ACCOUNT, &m);
+ 				authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m);
+ 				buffer_free(&m);
++				if (authenticated) {
++					do_pam_session();
++					do_pam_setcred(0);
++				}
+ 			}
+ #endif
+ 		}
+@@ -1531,6 +1535,11 @@ mm_answer_term(int sock, Buffer *req)
+ 	/* The child is terminating */
+ 	session_destroy_all(&mm_session_close);
+ 
++#ifdef USE_PAM
++	if (options.use_pam)
++		sshpam_cleanup();
++#endif
++
+ 	while (waitpid(pmonitor->m_pid, &status, 0) == -1)
+ 		if (errno != EINTR)
+ 			exit(1);
+Index: session.c
+===================================================================
+RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/session.c,v
+retrieving revision 1.328
+diff -u -p -r1.328 session.c
+--- session.c	4 May 2006 06:24:34 -0000	1.328
++++ session.c	22 May 2006 08:14:24 -0000
+@@ -541,7 +541,7 @@ do_exec_pty(Session *s, const char *comm
+ 	ttyfd = s->ttyfd;
+ 
+ #if defined(USE_PAM)
+-	if (options.use_pam) {
++	if (options.use_pam && !use_privsep) {
+ 		do_pam_set_tty(s->tty);
+ 		if (!use_privsep)
+ 			do_pam_setcred(1);
+@@ -1284,7 +1284,7 @@ do_setusercontext(struct passwd *pw)
+ 		}
+ #endif
+ # ifdef USE_PAM
+-		if (options.use_pam) {
++		if (options.use_pam && !use_privsep) {
+ 			do_pam_session();
+ 			do_pam_setcred(0);
+ 		}
+@@ -1326,7 +1326,7 @@ do_setusercontext(struct passwd *pw)
+ 		 * These will have been wiped by the above initgroups() call.
+ 		 * Reestablish them here.
+ 		 */
+-		if (options.use_pam) {
++		if (options.use_pam && !use_privsep) {
+ 			do_pam_session();
+ 			do_pam_setcred(0);
+ 		}
diff --git a/openssh.spec b/openssh.spec
index a59c465..3cded84 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -58,7 +58,7 @@
 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 4.3p2
-%define rel 6
+%define rel 7
 %if %{rescue}
 %define %{rel}rescue
 %else
@@ -92,11 +92,10 @@ Patch35: openssh-4.2p1-askpass-progress.patch
 Patch36: openssh-4.3p2-buffer-len.patch
 Patch37: openssh-4.3p2-configure-typo.patch
 Patch38: openssh-4.3p2-askpass-grab-info.patch
+Patch39: openssh-4.3p2-pam-session.patch
 License: BSD
 Group: Applications/Internet
 BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
-Obsoletes: ssh
-Provides: ssh
 %if %{nologin}
 Requires: /sbin/nologin
 %endif
@@ -140,14 +139,10 @@ BuildRequires: xauth
 Summary: The OpenSSH client applications
 Requires: openssh = %{version}-%{release}
 Group: Applications/Internet
-Obsoletes: ssh-clients
-Provides: ssh-clients
 
 %package server
 Summary: The OpenSSH server daemon
 Group: System Environment/Daemons
-Obsoletes: ssh-server
-Provides: ssh-server
 Requires: openssh = %{version}-%{release}
 Requires(post): chkconfig >= 0.9, /sbin/service
 Requires(pre): /usr/sbin/useradd
@@ -157,8 +152,8 @@ Requires: /etc/pam.d/system-auth, /%{_lib}/security/pam_loginuid.so
 Summary: A passphrase dialog for OpenSSH and X
 Group: Applications/Internet
 Requires: openssh = %{version}-%{release}
-Obsoletes: ssh-extras, openssh-askpass-gnome
-Provides: ssh-extras, openssh-askpass-gnome
+Obsoletes: openssh-askpass-gnome
+Provides: openssh-askpass-gnome
 
 %description
 SSH (Secure SHell) is a program for logging into and executing
@@ -225,6 +220,7 @@ an X11 passphrase dialog for OpenSSH.
 %patch36 -p0 -b .buffer-len
 %patch37 -p1 -b .typo
 %patch38 -p1 -b .grab-info
+%patch39 -p0 -b .pam-session
 
 autoreconf
 
@@ -466,6 +462,11 @@ fi
 %endif
 
 %changelog
+* Thu Jul 20 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-7
+- dropped old ssh obsoletes
+- call the pam_session_open/close from the monitor when privsep is
+  enabled so it is always called as root (patch by Darren Tucker)
+
 * Mon Jul 17 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-6
 - improve selinux patch (by Jan Kiszka)
 - upstream patch for buffer append space error (#191940)