---  crypto/openssh/auth2.c.orig
+++  crypto/openssh/auth2.c
@@ -259,6 +259,7 @@
 		if (options.use_pam)
 			PRIVSEP(start_pam(authctxt));
 #endif
+		/* XXXPJD: Denied in capability mode. */
 		setproctitle("%s%s", authctxt->valid ? user : "unknown",
 		    use_privsep ? " [net]" : "");
 		authctxt->service = xstrdup(service);
@@ -276,6 +277,7 @@
 	}
 
 #ifdef HAVE_LOGIN_CAP
+	/* XXXPJD: Doesn't work in privsep. */
 	if (authctxt->pw != NULL) {
 		lc = login_getpwclass(authctxt->pw);
 		if (lc == NULL)
---  crypto/openssh/config.h.orig
+++  crypto/openssh/config.h
@@ -228,6 +228,12 @@
 /* Define to 1 if you have the <bstring.h> header file. */
 /* #undef HAVE_BSTRING_H */
 
+/* Define to 1 if you have the `cap_enter' function. */
+#define HAVE_CAP_ENTER 1
+
+/* Capsicum Capability Mode */
+#define HAVE_CAP_MODE 1
+
 /* Define to 1 if you have the `clock' function. */
 #define HAVE_CLOCK 1
 
@@ -1406,6 +1412,9 @@
 /* read(1) can return 0 for a non-closed fd */
 /* #undef PTY_ZEROREAD */
 
+/* Sandbox using Capsicum */
+#define SANDBOX_CAPSICUM 1
+
 /* Sandbox using Darwin sandbox_init(3) */
 /* #undef SANDBOX_DARWIN */
 
@@ -1413,7 +1422,7 @@
 /* #undef SANDBOX_NULL */
 
 /* Sandbox using setrlimit(2) */
-#define SANDBOX_RLIMIT 1
+/* #undef SANDBOX_RLIMIT */
 
 /* Sandbox using seccomp filter */
 /* #undef SANDBOX_SECCOMP_FILTER */
--- /dev/null	2013-07-23 22:44:00.000000000 +0200
+++ crypto/openssh/sandbox-capsicum.c	2013-07-23 22:50:24.916036683 +0200
@@ -0,0 +1,79 @@
+/* $FreeBSD$ */
+/*-
+ * Copyright (c) 2011 Dag-Erling Smørgrav
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#ifdef SANDBOX_CAPSICUM
+
+#include <sys/types.h>
+#include <sys/capability.h>
+
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "log.h"
+#include "monitor.h"
+#include "ssh-sandbox.h"
+#include "xmalloc.h"
+
+/* Capsicum-based sandbox */
+
+struct ssh_sandbox {
+	struct monitor *monitor;
+	pid_t child_pid;
+};
+
+struct ssh_sandbox *
+ssh_sandbox_init(struct monitor *monitor)
+{
+	struct ssh_sandbox *box;
+
+	debug3("%s: preparing Capsicum sandbox", __func__);
+	box = xcalloc(1, sizeof(*box));
+	box->monitor = monitor;
+	box->child_pid = 0;
+
+	return box;
+}
+
+void
+ssh_sandbox_child(struct ssh_sandbox *box)
+{
+
+	if (cap_rights_limit(box->monitor->m_recvfd, CAP_READ | CAP_WRITE) == -1)
+		fatal("%s: failed to limit the network socket", __func__);
+	if (cap_rights_limit(box->monitor->m_log_sendfd, CAP_WRITE) == -1)
+		fatal("%s: failed to limit the logging socket", __func__);
+	if (cap_enter() == -1)
+		fatal("%s: failed to enter capability mode", __func__);
+}
+
+void
+ssh_sandbox_parent_finish(struct ssh_sandbox *box)
+{
+	free(box);
+	debug3("%s: finished", __func__);
+}
+
+void
+ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
+{
+	box->child_pid = child_pid;
+}
+
+#endif /* SANDBOX_CAPSICUM */
--- crypto/openssh/sandbox-darwin.c.orig
+++ crypto/openssh/sandbox-darwin.c
@@ -40,7 +40,7 @@
 };
 
 struct ssh_sandbox *
-ssh_sandbox_init(void)
+ssh_sandbox_init(struct monitor *monitor)
 {
 	struct ssh_sandbox *box;
 
--- crypto/openssh/sandbox-null.c.orig
+++ crypto/openssh/sandbox-null.c
@@ -39,7 +39,7 @@
 };
 
 struct ssh_sandbox *
-ssh_sandbox_init(void)
+ssh_sandbox_init(struct monitor *monitor)
 {
 	struct ssh_sandbox *box;
 
--- crypto/openssh/sandbox-rlimit.c.orig
+++ crypto/openssh/sandbox-rlimit.c
@@ -42,7 +42,7 @@
 };
 
 struct ssh_sandbox *
-ssh_sandbox_init(void)
+ssh_sandbox_init(struct monitor *monitor)
 {
 	struct ssh_sandbox *box;
 
--- crypto/openssh/sandbox-systrace.c.orig
+++ crypto/openssh/sandbox-systrace.c
@@ -77,7 +77,7 @@
 };
 
 struct ssh_sandbox *
-ssh_sandbox_init(void)
+ssh_sandbox_init(struct monitor *monitor)
 {
 	struct ssh_sandbox *box;
 
--- crypto/openssh/ssh-sandbox.h.orig
+++ crypto/openssh/ssh-sandbox.h
@@ -15,9 +15,10 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+struct monitor;
 struct ssh_sandbox;
 
-struct ssh_sandbox *ssh_sandbox_init(void);
+struct ssh_sandbox *ssh_sandbox_init(struct monitor *);
 void ssh_sandbox_child(struct ssh_sandbox *);
 void ssh_sandbox_parent_finish(struct ssh_sandbox *);
 void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t);
--- crypto/openssh/sshd.c.orig
+++ crypto/openssh/sshd.c
@@ -658,7 +658,7 @@
 	pmonitor->m_pkex = &xxx_kex;
 
 	if (use_privsep == PRIVSEP_ON)
-		box = ssh_sandbox_init();
+		box = ssh_sandbox_init(pmonitor);
 	pid = fork();
 	if (pid == -1) {
 		fatal("fork of unprivileged child failed");