--- session.c.orig	2017-10-12 11:52:52.953370000 -0700
+++ session.c	2017-10-12 11:53:40.793055000 -0700
@@ -1062,36 +1062,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
 	if (getenv("TZ"))
 		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
 
-#ifdef __ANDROID__
-{
-#define COPY_ANDROID_ENV(name)	{			\
-	char *s = getenv(name);				\
-	if (s)	child_set_env(&env, &envsize, name, s); }
-
-	/* from /init.rc */
-	COPY_ANDROID_ENV("ANDROID_BOOTLOGO");
-	COPY_ANDROID_ENV("ANDROID_ROOT");
-	COPY_ANDROID_ENV("ANDROID_ASSETS");
-	COPY_ANDROID_ENV("ANDROID_DATA");
-	COPY_ANDROID_ENV("ASEC_MOUNTPOINT");
-	COPY_ANDROID_ENV("LOOP_MOUNTPOINT");
-	COPY_ANDROID_ENV("BOOTCLASSPATH");
-
-	/* FIXME: keep android property workspace open
-	 * (see openbsd-compat/bsd-closefrom.c)
-	 */
-	COPY_ANDROID_ENV("ANDROID_PROPERTY_WORKSPACE");
-
-	COPY_ANDROID_ENV("EXTERNAL_STORAGE");		/* ??? */
-	COPY_ANDROID_ENV("SECONDARY_STORAGE");		/* ??? */
-	COPY_ANDROID_ENV("SD_EXT_DIRECTORY");		/* ??? */
-
-	/* may contain path to custom libraries */
-	COPY_ANDROID_ENV("LD_LIBRARY_PATH");
-#undef COPY_ANDROID_ENV
-}
-#endif
-
 	/* Set custom environment options from pubkey authentication. */
 	if (options.permit_user_env) {
 		for (n = 0 ; n < auth_opts->nenv; n++) {
--- sshd_config.5.orig	2017-10-12 11:51:06.638814000 -0700
+++ sshd_config.5	2017-10-12 11:51:33.780459000 -0700
@@ -1682,7 +1682,57 @@ is set to
 then the pre-authentication unprivileged process is subject to additional
 restrictions.
 The default is
-.Cm sandbox .
+.Cm no .
+.It Cm VersionAddendum
+Optionally specifies additional text to append to the SSH protocol banner
+sent by the server upon connection.
+The default is
+.Cm none .
+.It Cm X11DisplayOffset
+Specifies the first display number available for
+.Xr sshd 8 Ns 's
+X11 forwarding.
+This prevents sshd from interfering with real X11 servers.
+The default is 10.
+.It Cm X11Forwarding
+Specifies whether X11 forwarding is permitted.
+The argument must be
+.Cm yes
+or
+.Cm no .
+The default is
+.Cm no .
+.Pp
+When X11 forwarding is enabled, there may be additional exposure to
+the server and to client displays if the
+.Xr sshd 8
+proxy display is configured to listen on the wildcard address (see
+.Cm X11UseLocalhost ) ,
+though this is not the default.
+Additionally, the authentication spoofing and authentication data
+verification and substitution occur on the client side.
+The security risk of using X11 forwarding is that the client's X11
+display server may be exposed to attack when the SSH client requests
+forwarding (see the warnings for
+.Cm ForwardX11
+in
+.Xr ssh_config 5 ) .
+A system administrator may have a stance in which they want to
+protect clients that may expose themselves to attack by unwittingly
+requesting X11 forwarding, which can warrant a
+.Cm no
+setting.
+.Pp
+Note that disabling X11 forwarding does not prevent users from
+forwarding X11 traffic, as users can always install their own forwarders.
+.It Cm X11UseLocalhost
+Specifies whether
+.Xr sshd 8
+should bind the X11 forwarding server to the loopback address or to
+the wildcard address.
+By default,
+sshd binds the forwarding server to the loopback address and sets the
+hostname part of the
 .It Cm VACertificateFile
 File with X.509 certificates in PEM format concatenated together.
 In use when
@@ -1735,56 +1785,6 @@ URL of the OCSP provider. In use when
 .Cm VAType
 is set to
 .Cm ocspspec .
-.It Cm VersionAddendum
-Optionally specifies additional text to append to the SSH protocol banner
-sent by the server upon connection.
-The default is
-.Cm none .
-.It Cm X11DisplayOffset
-Specifies the first display number available for
-.Xr sshd 8 Ns 's
-X11 forwarding.
-This prevents sshd from interfering with real X11 servers.
-The default is 10.
-.It Cm X11Forwarding
-Specifies whether X11 forwarding is permitted.
-The argument must be
-.Cm yes
-or
-.Cm no .
-The default is
-.Cm no .
-.Pp
-When X11 forwarding is enabled, there may be additional exposure to
-the server and to client displays if the
-.Xr sshd 8
-proxy display is configured to listen on the wildcard address (see
-.Cm X11UseLocalhost ) ,
-though this is not the default.
-Additionally, the authentication spoofing and authentication data
-verification and substitution occur on the client side.
-The security risk of using X11 forwarding is that the client's X11
-display server may be exposed to attack when the SSH client requests
-forwarding (see the warnings for
-.Cm ForwardX11
-in
-.Xr ssh_config 5 ) .
-A system administrator may have a stance in which they want to
-protect clients that may expose themselves to attack by unwittingly
-requesting X11 forwarding, which can warrant a
-.Cm no
-setting.
-.Pp
-Note that disabling X11 forwarding does not prevent users from
-forwarding X11 traffic, as users can always install their own forwarders.
-.It Cm X11UseLocalhost
-Specifies whether
-.Xr sshd 8
-should bind the X11 forwarding server to the loopback address or to
-the wildcard address.
-By default,
-sshd binds the forwarding server to the loopback address and sets the
-hostname part of the
 .Ev DISPLAY
 environment variable to
 .Cm localhost .
