thodg/got

diff --git a/got/got.c b/got/got.c
index a4c3339..294153f 100644
--- a/got/got.c
+++ b/got/got.c
@@ -1121,6 +1121,17 @@ cmd_clone(int argc, char *argv[])
 	if (error)
 		goto done;
 
+	if (strcmp(proto, "git+ssh") == 0 || strcmp(proto, "ssh") == 0) {
+		if (unveil(GOT_FETCH_PATH_SSH, "x") != 0) {
+			error = got_error_from_errno2("unveil",
+			    GOT_FETCH_PATH_SSH);
+			goto done;
+		}
+	}
+	error = apply_unveil(got_repo_get_path(repo), 0, NULL);
+	if (error)
+		goto done;
+
 	error = got_fetch_connect(&fetchfd, proto, host, port, server_path);
 	if (error)
 		goto done;
diff --git a/include/got_fetch.h b/include/got_fetch.h
index f81637b..c7d34a7 100644
--- a/include/got_fetch.h
+++ b/include/got_fetch.h
@@ -18,6 +18,10 @@
 #define GOT_DEFAULT_GIT_PORT		9418
 #define GOT_DEFAULT_GIT_PORT_STR	"9418"
 
+#ifndef GOT_FETCH_PATH_SSH
+#define GOT_FETCH_PATH_SSH	"/usr/bin/ssh"
+#endif
+
 /*
  * Attempt to parse a URI into the following parts:
  * A protocol scheme, hostname, port number (as a string), path on server,
diff --git a/lib/fetch.c b/lib/fetch.c
index 5ba32f3..f5838d2 100644
--- a/lib/fetch.c
+++ b/lib/fetch.c
@@ -108,8 +108,9 @@ dial_ssh(int *fetchfd, const char *host, const char *port, const char *path,
 		n = snprintf(cmd, sizeof(cmd), "git-%s-pack", direction);
 		if (n < 0 || n >= sizeof(cmd))
 			err(1, "snprintf");
-		if (execlp("ssh", "ssh", host, cmd, path, NULL) == -1)
-			err(1, "execlp");
+		if (execl(GOT_FETCH_PATH_SSH, GOT_FETCH_PATH_SSH,
+		    host, cmd, path, NULL) == -1)
+			err(1, "execl");
 		abort(); /* not reached */
 	} else {
 		close(pfd[0]);
diff --git a/lib/privsep.c b/lib/privsep.c
index d271eda..d53de88 100644
--- a/lib/privsep.c
+++ b/lib/privsep.c
@@ -2216,6 +2216,8 @@ got_privsep_unveil_exec_helpers(void)
 	    GOT_PATH_PROG_READ_BLOB,
 	    GOT_PATH_PROG_READ_TAG,
 	    GOT_PATH_PROG_READ_GITCONFIG,
+	    GOT_PATH_PROG_FETCH_PACK,
+	    GOT_PATH_PROG_INDEX_PACK,
 	};
 	int i;