diff --git a/ChangeLog b/ChangeLog
index 513b0f109..7ee25f842 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,6 +30,10 @@
    - markus@cvs.openbsd.org 2003/07/03 08:24:13
      [regress/Makefile]
      enable tests for dynamic fwd via socks (-D), uses nc(1)
+   - djm@cvs.openbsd.org 2003/07/03 08:09:06
+     [readconf.c readconf.h ssh-keysign.c ssh.c]
+     fix AddressFamily option in config file, from brent@graveland.net;
+     ok markus@
 
 20030630
  - (djm) Search for support functions necessary to build our 
@@ -650,4 +654,4 @@
  - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
    Report from murple@murple.net, diagnosis from dtucker@zip.com.au
 
-$Id: ChangeLog,v 1.2843 2003/07/03 10:27:55 dtucker Exp $
+$Id: ChangeLog,v 1.2844 2003/07/03 10:37:47 dtucker Exp $
diff --git a/readconf.c b/readconf.c
index a01d7a33e..3c08f7638 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.113 2003/06/26 20:08:33 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.114 2003/07/03 08:09:05 djm Exp $");
 
 #include "ssh.h"
 #include "xmalloc.h"
@@ -288,7 +288,6 @@ process_config_line(Options *options, const char *host,
 	size_t len;
 	u_short fwd_port, fwd_host_port;
 	char sfwd_host_port[6];
-	extern int IPv4or6;
 
 	/* Strip trailing whitespace */
 	for(len = strlen(line) - 1; len > 0; len--) {
@@ -727,14 +726,17 @@ parse_int:
 
 	case oAddressFamily:
 		arg = strdelim(&s);
+		intptr = &options->address_family;
 		if (strcasecmp(arg, "inet") == 0)
-			IPv4or6 = AF_INET;
+			value = AF_INET;
 		else if (strcasecmp(arg, "inet6") == 0)
-			IPv4or6 = AF_INET6;
+			value = AF_INET6;
 		else if (strcasecmp(arg, "any") == 0)
-			IPv4or6 = AF_UNSPEC;
+			value = AF_UNSPEC;
 		else
 			fatal("Unsupported AddressFamily \"%s\"", arg);
+		if (*activep && *intptr == -1)
+			*intptr = value;
 		break;
 
 	case oEnableSSHKeysign:
@@ -839,6 +841,7 @@ initialize_options(Options * options)
 	options->keepalives = -1;
 	options->compression_level = -1;
 	options->port = -1;
+	options->address_family = -1;
 	options->connection_attempts = -1;
 	options->connection_timeout = -1;
 	options->number_of_password_prompts = -1;
@@ -926,6 +929,8 @@ fill_default_options(Options * options)
 		options->compression_level = 6;
 	if (options->port == -1)
 		options->port = 0;	/* Filled in ssh_connect. */
+	if (options->address_family == -1)
+		options->address_family = AF_UNSPEC;
 	if (options->connection_attempts == -1)
 		options->connection_attempts = 1;
 	if (options->number_of_password_prompts == -1)
diff --git a/readconf.h b/readconf.h
index c884de68b..4e0b74318 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: readconf.h,v 1.50 2003/05/15 14:55:25 djm Exp $	*/
+/*	$OpenBSD: readconf.h,v 1.51 2003/07/03 08:09:06 djm Exp $	*/
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -58,6 +58,7 @@ typedef struct {
 	LogLevel log_level;	/* Level for logging. */
 
 	int     port;		/* Port to connect. */
+	int     address_family;
 	int     connection_attempts;	/* Max attempts (seconds) before
 					 * giving up */
 	int     connection_timeout;	/* Max time (seconds) before
diff --git a/ssh-keysign.c b/ssh-keysign.c
index 063364ee7..c7ca5c4e4 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -22,7 +22,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keysign.c,v 1.12 2003/05/16 03:27:12 djm Exp $");
+RCSID("$OpenBSD: ssh-keysign.c,v 1.13 2003/07/03 08:09:06 djm Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/rand.h>
@@ -44,7 +44,6 @@ RCSID("$OpenBSD: ssh-keysign.c,v 1.12 2003/05/16 03:27:12 djm Exp $");
 
 /* XXX readconf.c needs these */
 uid_t original_real_uid;
-int IPv4or6;
 
 #ifdef HAVE___PROGNAME
 extern char *__progname;
diff --git a/ssh.c b/ssh.c
index a86f9204f..1f1f06834 100644
--- a/ssh.c
+++ b/ssh.c
@@ -40,7 +40,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.195 2003/07/02 20:37:48 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.196 2003/07/03 08:09:06 djm Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -79,10 +79,6 @@ extern char *__progname;
 char *__progname;
 #endif
 
-/* Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
-   Default value is AF_UNSPEC means both IPv4 and IPv6. */
-int IPv4or6 = AF_UNSPEC;
-
 /* Flag indicating whether debug mode is on.  This can be set on the command line. */
 int debug_flag = 0;
 
@@ -280,10 +276,10 @@ again:
 			options.protocol = SSH_PROTO_2;
 			break;
 		case '4':
-			IPv4or6 = AF_INET;
+			options.address_family = AF_INET;
 			break;
 		case '6':
-			IPv4or6 = AF_INET6;
+			options.address_family = AF_INET6;
 			break;
 		case 'n':
 			stdin_null_flag = 1;
@@ -514,7 +510,6 @@ again:
 
 	SSLeay_add_all_algorithms();
 	ERR_load_crypto_strings();
-	channel_set_af(IPv4or6);
 
 	/* Initialize the command to execute on remote host. */
 	buffer_init(&command);
@@ -586,6 +581,8 @@ again:
 	/* Fill configuration defaults. */
 	fill_default_options(&options);
 
+	channel_set_af(options.address_family);
+
 	/* reinit */
 	log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1);
 
@@ -621,8 +618,8 @@ again:
 	}
 	/* Open a connection to the remote host. */
 
-	if (ssh_connect(host, &hostaddr, options.port, IPv4or6,
-	    options.connection_attempts,
+	if (ssh_connect(host, &hostaddr, options.port,
+	    options.address_family, options.connection_attempts,
 #ifdef HAVE_CYGWIN
 	    options.use_privileged_port,
 #else