diff --git a/doc/changelog.txt b/doc/changelog.txt
index 5107e9b..bdc37f0 100644
--- a/doc/changelog.txt
+++ b/doc/changelog.txt
@@ -2,6 +2,10 @@
 For details, see the history as recorded in the git repository.
 
 
+Fixes:
+- pam_mount: avoid crash in sudo by not calling setenv() with NULL
+
+
 v1.27 (July 01 2009)
 ====================
 Changes:
diff --git a/src/pam_mount.c b/src/pam_mount.c
index 87262bd..73da556 100644
--- a/src/pam_mount.c
+++ b/src/pam_mount.c
@@ -451,7 +451,7 @@ PAM_EXTERN EXPORT_SYMBOL int pam_sm_open_session(pam_handle_t *pamh, int flags,
 {
 	struct vol *vol;
 	int ret;
-	unsigned int krb5_set;
+	const char *krb5;
 	char *system_authtok = NULL;
 	const void *tmp;
 	int getval;
@@ -464,11 +464,17 @@ PAM_EXTERN EXPORT_SYMBOL int pam_sm_open_session(pam_handle_t *pamh, int flags,
 	w4rn(PACKAGE_STRING ": entering session stage\n");
 
 	/*
+	 * Environment variables set with setenv() only last while PAM is
+	 * active, i.e. disappear when the shell is started. On the other hand,
+	 * variabled fed to pam_putenv() are only visible once the shell
+	 * started.
+	 */
+	/*
 	 * Get the Kerberos CCNAME so we can make it available to the
 	 * mount command later on.
 	 */
-	krb5_set = getenv("KRB5CCNAME") != NULL;
-	if (setenv("KRB5CCNAME", pam_getenv(pamh, "KRB5CCNAME"), 1) < 0)
+	krb5 = pam_getenv(pamh, "KRB5CCNAME");
+	if (krb5 != NULL && setenv("KRB5CCNAME", krb5, true) < 0)
 		l0g("KRB5CCNAME setenv failed\n");
 
 	/* Store initialized config as PAM data */
@@ -545,7 +551,7 @@ PAM_EXTERN EXPORT_SYMBOL int pam_sm_open_session(pam_handle_t *pamh, int flags,
 		}
 	}
 	memset(system_authtok, 0, strlen(system_authtok));
-	if (krb5_set)
+	if (krb5 != NULL)
 		unsetenv("KRB5CCNAME");
 	modify_pm_count(&Config, Config.user, "1");
 	envpath_restore();