diff --git a/ChangeLog b/ChangeLog
index 63beb9482..e9cb557d7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,9 @@
  - (dtucker) [auth.c] Bug #1710: call setauthdb on AIX before getpwuid so that
    it gets the passwd struct from the LAM that knows about the user which is
    not necessarily the default.  Patch from Alexandre Letourneau.
+ - (dtucker) [session.c] Bug #1567: move setpcred call to before chroot and
+   do not set real uid, since that's needed for the chroot, and will be set
+   by permanently_set_uid.
 
 20100305
  - OpenBSD CVS Sync
diff --git a/session.c b/session.c
index fd7acbe03..8f978faa6 100644
--- a/session.c
+++ b/session.c
@@ -1530,6 +1530,24 @@ do_setusercontext(struct passwd *pw)
 		}
 # endif /* USE_LIBIAF */
 #endif
+#ifdef HAVE_SETPCRED
+		/*
+		 * If we have a chroot directory, we set all creds except real
+		 * uid which we will need for chroot.  If we don't have a
+		 * chroot directory, we don't override anything.
+		 */
+		{
+			char **creds, *chroot_creds[] =
+			    { "REAL_USER=root", NULL };
+
+			if (options.chroot_directory != NULL &&
+			    strcasecmp(options.chroot_directory, "none") != 0)
+				creds = chroot_creds;
+
+			if (setpcred(pw->pw_name, creds) == -1)
+				fatal("Failed to set process credentials");
+		}
+#endif /* HAVE_SETPCRED */
 
 		if (options.chroot_directory != NULL &&
 		    strcasecmp(options.chroot_directory, "none") != 0) {
@@ -1542,10 +1560,6 @@ do_setusercontext(struct passwd *pw)
 			free(chroot_path);
 		}
 
-#ifdef HAVE_SETPCRED
-		if (setpcred(pw->pw_name, (char **)NULL) == -1)
-			fatal("Failed to set process credentials");
-#endif /* HAVE_SETPCRED */
 #ifdef HAVE_LOGIN_CAP
 		if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) {
 			perror("unable to set user context (setuser)");