diff --git a/TODO b/TODO
index c737c5157cf087a01ff8ce7285e69893191a79cc..9807f599b45903ebb37acbc4ab959e348a557781 100644
--- a/TODO
+++ b/TODO
@@ -2,6 +2,8 @@ Current:
 
 Things which might need doing:
 
+- default private dbclient keys
+
 - Make options.h generated from configure perhaps?
 
 - Improved queueing of unauthed connections
diff --git a/auth.h b/auth.h
index 399db2d8f0bf98fd3e51921dc9fca5868b7370c1..548e0174a7ba07c13e33687f040b5f3f87511b1e 100644
--- a/auth.h
+++ b/auth.h
@@ -84,13 +84,13 @@ struct AuthState {
 
 };
 
-struct PubkeyList;
-/* A singly linked list of pubkeys */
-struct PubkeyList {
+struct SignKeyList;
+/* A singly linked list of signing keys */
+struct SignKeyList {
 
 	sign_key *key;
 	int type; /* The type of key */
-	struct PubkeyList *next;
+	struct SignKeyList *next;
 	/* filename? or the buffer? for encrypted keys, so we can later get
 	 * the private key portion */
 
diff --git a/cli-authpubkey.c b/cli-authpubkey.c
index 61b17d9822b58b79277b6f7919f3d99b22a83f36..9d36bc38c475ef0b846b196362593305519e5da8 100644
--- a/cli-authpubkey.c
+++ b/cli-authpubkey.c
@@ -38,29 +38,29 @@ static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign);
  * We use it to remove the key we tried from the list */
 void cli_pubkeyfail() {
 
-	struct PubkeyList *keyitem;
-	struct PubkeyList **previtem;
+	struct SignKeyList *keyitem;
+	struct SignKeyList **previtem;
 
 	TRACE(("enter cli_pubkeyfail"))
-	previtem = &cli_opts.pubkeys;
+	previtem = &cli_opts.privkeys;
 
 	/* Find the key we failed with, and remove it */
-	for (keyitem = cli_opts.pubkeys; keyitem != NULL; keyitem = keyitem->next) {
-		if (keyitem == cli_ses.lastpubkey) {
+	for (keyitem = cli_opts.privkeys; keyitem != NULL; keyitem = keyitem->next) {
+		if (keyitem == cli_ses.lastprivkey) {
 			*previtem = keyitem->next;
 		}
 		previtem = &keyitem;
 	}
 
-	sign_key_free(cli_ses.lastpubkey->key); /* It won't be used again */
-	m_free(cli_ses.lastpubkey);
+	sign_key_free(cli_ses.lastprivkey->key); /* It won't be used again */
+	m_free(cli_ses.lastprivkey);
 
 	TRACE(("leave cli_pubkeyfail"))
 }
 
 void recv_msg_userauth_pk_ok() {
 
-	struct PubkeyList *keyitem;
+	struct SignKeyList *keyitem;
 	buffer* keybuf;
 	char* algotype = NULL;
 	unsigned int algolen;
@@ -80,7 +80,7 @@ void recv_msg_userauth_pk_ok() {
 
 	/* Iterate through our keys, find which one it was that matched, and
 	 * send a real request with that key */
-	for (keyitem = cli_opts.pubkeys; keyitem != NULL; keyitem = keyitem->next) {
+	for (keyitem = cli_opts.privkeys; keyitem != NULL; keyitem = keyitem->next) {
 
 		if (keyitem->type != keytype) {
 			/* Types differed */
@@ -172,11 +172,11 @@ int cli_auth_pubkey() {
 
 	TRACE(("enter cli_auth_pubkey"))
 
-	if (cli_opts.pubkeys != NULL) {
+	if (cli_opts.privkeys != NULL) {
 		/* Send a trial request */
-		send_msg_userauth_pubkey(cli_opts.pubkeys->key,
-				cli_opts.pubkeys->type, 0);
-		cli_ses.lastpubkey = cli_opts.pubkeys;
+		send_msg_userauth_pubkey(cli_opts.privkeys->key,
+				cli_opts.privkeys->type, 0);
+		cli_ses.lastprivkey = cli_opts.privkeys;
 		TRACE(("leave cli_auth_pubkey-success"))
 		return 1;
 	} else {
diff --git a/cli-runopts.c b/cli-runopts.c
index 0f5c67c4c969316c7523f15574623b8008b65098..285c51d60f33fc1742e51d563d0ede05573b4ad8 100644
--- a/cli-runopts.c
+++ b/cli-runopts.c
@@ -89,7 +89,7 @@ void cli_getopts(int argc, char ** argv) {
 	cli_opts.cmd = NULL;
 	cli_opts.wantpty = 9; /* 9 means "it hasn't been touched", gets set later */
 #ifdef ENABLE_CLI_PUBKEY_AUTH
-	cli_opts.pubkeys = NULL;
+	cli_opts.privkeys = NULL;
 #endif
 #ifdef ENABLE_CLI_LOCALTCPFWD
 	cli_opts.localfwds = NULL;
@@ -271,7 +271,7 @@ void cli_getopts(int argc, char ** argv) {
 #ifdef ENABLE_CLI_PUBKEY_AUTH
 static void loadidentityfile(const char* filename) {
 
-	struct PubkeyList * nextkey;
+	struct SignKeyList * nextkey;
 	sign_key *key;
 	int keytype;
 
@@ -284,11 +284,11 @@ static void loadidentityfile(const char* filename) {
 
 	} else {
 
-		nextkey = (struct PubkeyList*)m_malloc(sizeof(struct PubkeyList));
+		nextkey = (struct SignKeyList*)m_malloc(sizeof(struct SignKeyList));
 		nextkey->key = key;
-		nextkey->next = cli_opts.pubkeys;
+		nextkey->next = cli_opts.privkeys;
 		nextkey->type = keytype;
-		cli_opts.pubkeys = nextkey;
+		cli_opts.privkeys = nextkey;
 	}
 }
 #endif
diff --git a/cli-session.c b/cli-session.c
index 0ac120e40ecc3cf057d966513ce526db2856c7cd..8b58526b4d4d14445c10bcaeb714cc13f1ee39f9 100644
--- a/cli-session.c
+++ b/cli-session.c
@@ -126,7 +126,7 @@ static void cli_session_init() {
 									  specific exit status */
 
 	/* Auth */
-	cli_ses.lastpubkey = NULL;
+	cli_ses.lastprivkey = NULL;
 	cli_ses.lastauthtype = 0;
 
 	/* For printing "remote host closed" for the user */
diff --git a/runopts.h b/runopts.h
index 9597ac07c49d956054faa92f56a38ab830341831..3d589e7bd8f246173590a287a93a2ca6281ff171 100644
--- a/runopts.h
+++ b/runopts.h
@@ -95,7 +95,7 @@ typedef struct cli_runopts {
 	char *cmd;
 	int wantpty;
 #ifdef ENABLE_CLI_PUBKEY_AUTH
-	struct PubkeyList *pubkeys; /* Keys to use for public-key auth */
+	struct SignKeyList *privkeys; /* Keys to use for public-key auth */
 #endif
 #ifdef ENABLE_CLI_REMOTETCPFWD
 	struct TCPFwdList * remotefwds;
diff --git a/session.h b/session.h
index 90efb0778ebd785610dbc6fe1f79565b5b825776..2dbc7f8c86680db18ff16b94c0a5e874ace07a91 100644
--- a/session.h
+++ b/session.h
@@ -211,7 +211,6 @@ struct clientsession {
 	mp_int *dh_e, *dh_x; /* Used during KEX */
 	cli_kex_state kex_state; /* Used for progressing KEX */
 	cli_state state; /* Used to progress auth/channelsession etc */
-	int something; /* XXX */
 	unsigned donefirstkex : 1; /* Set when we set sentnewkeys, never reset */
 
 	int tty_raw_mode; /* Whether we're in raw mode (and have to clean up) */
@@ -227,7 +226,7 @@ struct clientsession {
 
 	int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
 						 for the last type of auth we tried */
-	struct PubkeyList *lastpubkey;
+	struct SignKeyList *lastprivkey;
 
 	int retval; /* What the command exit status was - we emulate it */
 #if 0