diff --git a/openssh-5.8p1-audit4a.patch b/openssh-5.8p1-audit4a.patch
index e69de29..e6e6720 100644
--- a/openssh-5.8p1-audit4a.patch
+++ b/openssh-5.8p1-audit4a.patch
@@ -0,0 +1,79 @@
+diff -up openssh-5.8p1/packet.c.audit4a openssh-5.8p1/packet.c
+--- openssh-5.8p1/packet.c.audit4a	2011-03-08 08:52:12.000000000 +0100
++++ openssh-5.8p1/packet.c	2011-03-08 08:52:39.000000000 +0100
+@@ -473,6 +473,13 @@ packet_get_connection_out(void)
+ 	return active_state->connection_out;
+ }
+ 
++static int
++packet_state_has_keys (const struct session_state *state)
++{
++	return state != NULL &&
++		(state->newkeys[MODE_IN] != NULL || state->newkeys[MODE_OUT] != NULL);
++}
++
+ /* Closes the connection and clears and frees internal data structures. */
+ 
+ void
+@@ -481,13 +488,6 @@ packet_close(void)
+ 	if (!active_state->initialized)
+ 		return;
+ 	active_state->initialized = 0;
+-	if (active_state->connection_in == active_state->connection_out) {
+-		shutdown(active_state->connection_out, SHUT_RDWR);
+-		close(active_state->connection_out);
+-	} else {
+-		close(active_state->connection_in);
+-		close(active_state->connection_out);
+-	}
+ 	buffer_free(&active_state->input);
+ 	buffer_free(&active_state->output);
+ 	buffer_free(&active_state->outgoing_packet);
+@@ -496,9 +496,18 @@ packet_close(void)
+ 		buffer_free(&active_state->compression_buffer);
+ 		buffer_compress_uninit();
+ 	}
+-	cipher_cleanup(&active_state->send_context);
+-	cipher_cleanup(&active_state->receive_context);
+-	audit_session_key_free(2);
++	if (packet_state_has_keys(active_state)) {
++		cipher_cleanup(&active_state->send_context);
++		cipher_cleanup(&active_state->receive_context);
++		audit_session_key_free(2);
++	}
++	if (active_state->connection_in == active_state->connection_out) {
++		shutdown(active_state->connection_out, SHUT_RDWR);
++		close(active_state->connection_out);
++	} else {
++		close(active_state->connection_in);
++		close(active_state->connection_out);
++	}
+ }
+ 
+ /* Sets remote side protocol flags. */
+@@ -1945,13 +1954,6 @@ packet_destroy_state(struct session_stat
+ //	memset(state, 0, sizeof(state));
+ }
+ 
+-static int
+-packet_state_has_keys (const struct session_state *state)
+-{
+-	return state != NULL &&
+-		(state->newkeys[MODE_IN] != NULL || state->newkeys[MODE_OUT] != NULL);
+-}
+-
+ void
+ packet_destroy_all(int audit_it, int privsep)
+ {
+diff -up openssh-5.8p1/sshd.c.audit4a openssh-5.8p1/sshd.c
+--- openssh-5.8p1/sshd.c.audit4a	2011-03-08 08:53:02.000000000 +0100
++++ openssh-5.8p1/sshd.c	2011-03-08 08:55:23.000000000 +0100
+@@ -2033,7 +2033,7 @@ main(int ac, char **av)
+ 	do_authenticated(authctxt);
+ 
+ 	/* The connection has been terminated. */
+-	packet_destroy_all(1, 0);
++	packet_destroy_all(1, 1);
+ 
+ 	packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
+ 	packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
diff --git a/openssh-5.8p1-audit5a.patch b/openssh-5.8p1-audit5a.patch
index e69de29..31a0dce 100644
--- a/openssh-5.8p1-audit5a.patch
+++ b/openssh-5.8p1-audit5a.patch
@@ -0,0 +1,11 @@
+diff -up openssh-5.8p1/sshd.c.audit5a openssh-5.8p1/sshd.c
+--- openssh-5.8p1/sshd.c.audit5a	2011-03-08 09:03:49.000000000 +0100
++++ openssh-5.8p1/sshd.c	2011-03-08 09:06:23.000000000 +0100
+@@ -2085,6 +2085,7 @@ main(int ac, char **av)
+ 
+ 	/* The connection has been terminated. */
+ 	packet_destroy_all(1, 1);
++	destroy_sensitive_data(1);
+ 
+ 	packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
+ 	packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
diff --git a/openssh-5.8p1-ldap.patch b/openssh-5.8p1-ldap.patch
index 0498021..d6bb196 100644
--- a/openssh-5.8p1-ldap.patch
+++ b/openssh-5.8p1-ldap.patch
@@ -117,7 +117,7 @@ diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap openssh-5.8p1/HOWTO.ldap-keys
 +2) add appropriate schema
 +3) insert users into LDAP
 +4) on the ssh side set in sshd_config
-+AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
++AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
 +AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
 +5) do not forget to set
 +PubkeyAuthentication yes
@@ -2262,7 +2262,7 @@ diff -up openssh-5.8p1/README.lpk.ldap openssh-5.8p1/README.lpk
 +
 +  2 tokens are added to sshd_config :
 +  # here is the new patched ldap related tokens
-+  AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-helper -s %u
++  AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
 +  AuthorizedKeysCommandRunAs nobody
 +
 +  The LDAP configuratin is read from common /etc/ldap.conf configuration file.
diff --git a/openssh.spec b/openssh.spec
index 6300d54..b913f3d 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -71,7 +71,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.8p1
-%define openssh_rel 15
+%define openssh_rel 16
 %define pam_ssh_agent_ver 0.9.2
 %define pam_ssh_agent_rel 30
 
@@ -652,6 +652,9 @@ fi
 %endif
 
 %changelog
+* Tue Mar  8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-16 + 0.9.2-30
+- improve session keys audit
+
 * Mon Mar  7 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-15 + 0.9.2-30
 - CVE-2010-4755