diff --git a/openssh-7.7p1-gssapi-new-unique.patch b/openssh-7.7p1-gssapi-new-unique.patch
index 11ab6ee..3f46ac1 100644
--- a/openssh-7.7p1-gssapi-new-unique.patch
+++ b/openssh-7.7p1-gssapi-new-unique.patch
@@ -113,29 +113,12 @@ index a5a81ed2..63f877f2 100644
  	if (authctxt->krb5_user) {
  		krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
  		authctxt->krb5_user = NULL;
-@@ -237,36 +287,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
+@@ -237,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
  	}
  }
  
 -#ifndef HEIMDAL
--krb5_error_code
--ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
--	int tmpfd, ret, oerrno;
--	char ccname[40];
--	mode_t old_umask;
- 
--	ret = snprintf(ccname, sizeof(ccname),
--	    "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
--	if (ret < 0 || (size_t)ret >= sizeof(ccname))
--		return ENOMEM;
--
--	old_umask = umask(0177);
--	tmpfd = mkstemp(ccname + strlen("FILE:"));
--	oerrno = errno;
--	umask(old_umask);
--	if (tmpfd == -1) {
--		logit("mkstemp(): %.100s", strerror(oerrno));
--		return oerrno;
++
 +#if !defined(HEIMDAL)
 +int
 +ssh_asprintf_append(char **dsc, const char *fmt, ...) {
@@ -200,9 +183,8 @@ index a5a81ed2..63f877f2 100644
 +			/* unknown token, fallback to the default */
 +			goto cleanup;
 +		}
- 	}
- 
--	if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
++	}
++
 +	if (ssh_asprintf_append(&r, "%s", p_o) == -1)
 +		goto cleanup;
 +
@@ -216,7 +198,10 @@ index a5a81ed2..63f877f2 100644
 +	return -1;
 +}
 +
-+krb5_error_code
+ krb5_error_code
+-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
+-	int tmpfd, ret, oerrno;
+-	char ccname[40];
 +ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
 +	profile_t p;
 +	int ret = 0;
@@ -241,9 +226,22 @@ index a5a81ed2..63f877f2 100644
 +ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
 +	int tmpfd, ret, oerrno, type_len;
 +	char *ccname = NULL;
-+	mode_t old_umask;
+ 	mode_t old_umask;
 +	char *type = NULL, *colon = NULL;
-+
+ 
+-	ret = snprintf(ccname, sizeof(ccname),
+-	    "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
+-	if (ret < 0 || (size_t)ret >= sizeof(ccname))
+-		return ENOMEM;
+-
+-	old_umask = umask(0177);
+-	tmpfd = mkstemp(ccname + strlen("FILE:"));
+-	oerrno = errno;
+-	umask(old_umask);
+-	if (tmpfd == -1) {
+-		logit("mkstemp(): %.100s", strerror(oerrno));
+-		return oerrno;
+-	}
 +	debug3("%s: called", __func__);
 +	if (need_environment)
 +		*need_environment = 0;
@@ -258,7 +256,8 @@ index a5a81ed2..63f877f2 100644
 +		    "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
 +		if (ret < 0)
 +			return ENOMEM;
-+
+ 
+-	if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
 +		old_umask = umask(0177);
 +		tmpfd = mkstemp(ccname + strlen("FILE:"));
  		oerrno = errno;
@@ -345,11 +344,10 @@ index 29491df9..fdab5040 100644
 +krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
  #endif
  #endif
-diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
-index 795992d9..0623a107 100644
---- a/gss-serv-krb5.c
-+++ b/gss-serv-krb5.c
-@@ -114,7 +114,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
+diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
+--- openssh-7.9p1/gss-serv-krb5.c.ccache_name	2019-03-01 15:17:42.708611802 +0100
++++ openssh-7.9p1/gss-serv-krb5.c	2019-03-01 15:17:42.713611844 +0100
+@@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
  /* This writes out any forwarded credentials from the structure populated
   * during userauth. Called after we have setuid to the user */
  
@@ -358,12 +356,9 @@ index 795992d9..0623a107 100644
  ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
  {
  	krb5_ccache ccache;
-@@ -121,16 +121,17 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
- 	krb5_error_code problem;
- 	krb5_principal princ;
+@@ -276,14 +276,15 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
  	OM_uint32 maj_status, min_status;
--	const char *new_ccname, *new_cctype;
-+	int len;
+ 	const char *new_ccname, *new_cctype;
  	const char *errmsg;
 +	int set_env = 0;
  
@@ -379,7 +374,7 @@ index 795992d9..0623a107 100644
  
  #ifdef HEIMDAL
  # ifdef HAVE_KRB5_CC_NEW_UNIQUE
-@@ -144,14 +145,14 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+@@ -297,14 +298,14 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
  		krb5_get_err_text(krb_context, problem));
  # endif
  		krb5_free_error_message(krb_context, errmsg);
@@ -398,7 +393,7 @@ index 795992d9..0623a107 100644
  	}
  #endif	/* #ifdef HEIMDAL */
  
-@@ -160,7 +161,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+@@ -313,7 +314,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
  		errmsg = krb5_get_error_message(krb_context, problem);
  		logit("krb5_parse_name(): %.100s", errmsg);
  		krb5_free_error_message(krb_context, errmsg);
@@ -407,7 +402,7 @@ index 795992d9..0623a107 100644
  	}
  
  	if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
-@@ -169,7 +170,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+@@ -322,7 +323,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
  		krb5_free_error_message(krb_context, errmsg);
  		krb5_free_principal(krb_context, princ);
  		krb5_cc_destroy(krb_context, ccache);
@@ -416,7 +411,7 @@ index 795992d9..0623a107 100644
  	}
  
  	krb5_free_principal(krb_context, princ);
-@@ -178,37 +179,27 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+@@ -331,29 +332,19 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
  	    client->creds, ccache))) {
  		logit("gss_krb5_copy_ccache() failed");
  		krb5_cc_destroy(krb_context, ccache);
@@ -424,8 +419,8 @@ index 795992d9..0623a107 100644
 +		return 0;
  	}
  
--	new_cctype = krb5_cc_get_type(krb_context, ccache);
--	new_ccname = krb5_cc_get_name(krb_context, ccache);
+ 	new_cctype = krb5_cc_get_type(krb_context, ccache);
+ 	new_ccname = krb5_cc_get_name(krb_context, ccache);
 -
 -	client->store.envvar = "KRB5CCNAME";
 -#ifdef USE_CCAPI
@@ -433,21 +428,17 @@ index 795992d9..0623a107 100644
 -#else
 -	if (new_ccname[0] == ':')
 -		new_ccname++;
--	xasprintf(&client->store.envval, "%s:%s", new_cctype, new_ccname);
+ 	xasprintf(&client->store.envval, "%s:%s", new_cctype, new_ccname);
 -	if (strcmp(new_cctype, "DIR") == 0) {
 -		char *p;
 -		p = strrchr(client->store.envval, '/');
 -		if (p)
 -			*p = '\0';
--	}
--#endif
++
 +	if (set_env) {
-+		const char *filename = krb5_cc_get_name(krb_context, ccache);
 +		client->store.envvar = "KRB5CCNAME";
-+		len = strlen(filename) + 6;
-+		client->store.envval = xmalloc(len);
-+		snprintf(client->store.envval, len, "FILE:%s", filename);
-+	}
+ 	}
+-#endif
  
  #ifdef USE_PAM
 -	if (options.use_pam)
@@ -455,7 +446,7 @@ index 795992d9..0623a107 100644
  		do_pam_putenv(client->store.envvar, client->store.envval);
  #endif
  
- 	krb5_cc_close(krb_context, ccache);
+@@ -361,7 +355,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
  
  	client->store.data = krb_context;
  
@@ -486,11 +477,20 @@ index 6cae720e..16e55cbc 100644
  }
  
  /* This allows GSSAPI methods to do things to the childs environment based
-diff --git a/servconf.c b/servconf.c
-index cb578658..a6e01df2 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -122,6 +122,7 @@ initialize_server_options(ServerOptions *options)
+@@ -496,8 +498,7 @@ ssh_gssapi_rekey_creds() {
+ 	char *envstr;
+ #endif
+ 
+-	if (gssapi_client.store.envval == NULL &&
+-	    gssapi_client.store.envvar == NULL)
++	if (gssapi_client.store.envval == NULL)
+ 		return;
+  
+ 	ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
+diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
+--- openssh-7.9p1/servconf.c.ccache_name	2019-03-01 15:17:42.704611768 +0100
++++ openssh-7.9p1/servconf.c	2019-03-01 15:17:42.713611844 +0100
+@@ -123,6 +123,7 @@ initialize_server_options(ServerOptions
  	options->kerberos_or_local_passwd = -1;
  	options->kerberos_ticket_cleanup = -1;
  	options->kerberos_get_afs_token = -1;