What are we trying to solve here Unintended use of code If sshd pre-auth had a bug, we should not allow opening of new sockets or other complicated code sequences! sshd pre-auth is very carefully written to use only low-level calls Anything surprising should cause instant process death pledge() is a seatbelt