--- appl/rsh/rsh.c.orig
+++ b/appl/rsh/rsh.c
@@ -399,6 +399,8 @@
 
 #endif /* KRB5 */
 
+#ifdef BROKEN_AUTH
+
 static int
 send_broken_auth(int s,
 		 struct sockaddr *thisaddr,
@@ -428,6 +430,8 @@
     return 0;
 }
 
+#endif /* BROKEN_AUTH */
+
 static int
 proto (int s, int errsock,
        const char *hostname, const char *local_user, const char *remote_user,
@@ -629,6 +633,8 @@
     return res;
 }
 
+#ifdef BROKEN_AUTH
+
 static int
 doit_broken (int argc,
 	     char **argv,
@@ -702,6 +708,8 @@
     }
 }
 
+#endif
+
 #if defined(KRB5)
 static int
 doit (const char *hostname,
@@ -796,7 +804,9 @@
     { "protocol", 'P', arg_string,      &protocol_version_str,
       "Protocol version [krb5]", "protocol" },
 #endif
+#ifdef BROKEN_AUTH
     { "broken", 'K', arg_flag,		&use_only_broken, "Use only priv port" },
+#endif
 #if defined(KRB5)
     { "encrypt", 'x', arg_flag,		&do_encrypt,	"Encrypt connection" },
     { NULL, 	'z', arg_negative_flag,      &do_encrypt,
@@ -831,8 +841,10 @@
 int
 main(int argc, char **argv)
 {
+#ifdef BROKEN_AUTH
     int priv_port1, priv_port2;
     int priv_socket1, priv_socket2;
+#endif
     int argindex = 0;
     int error;
     struct addrinfo hints, *ai;
@@ -848,9 +860,11 @@
 #endif
     uid_t uid;
 
+#ifdef BROKEN_AUTH
     priv_port1 = priv_port2 = IPPORT_RESERVED-1;
     priv_socket1 = rresvport(&priv_port1);
     priv_socket2 = rresvport(&priv_port2);
+#endif
     uid = getuid ();
     if (setuid (uid) || (uid != 0 && setuid(0) == 0))
 	err (1, "setuid");
@@ -907,6 +921,7 @@
 
 #endif
 
+#ifdef BROKEN_AUTH
     if (use_only_broken) {
 #ifdef KRB5
 	use_v5 = 0;
@@ -918,6 +933,7 @@
 	    errx (1, "unable to bind reserved port: is rsh setuid root?");
 	use_broken = 0;
     }
+#endif
 
 #if defined(KRB5)
     if (do_encrypt == 1 && use_only_broken)
@@ -956,8 +972,10 @@
     }
 
     if (argindex == argc) {
+#ifdef BROKEN_AUTH
 	close (priv_socket1);
 	close (priv_socket2);
+#endif
 	argv[0] = "rlogin";
 	execvp ("rlogin", argv);
 	err (1, "execvp rlogin");
@@ -1004,6 +1022,7 @@
 	freeaddrinfo(ai);
     }
 #endif
+#ifdef BROKEN_AUTH
     if (ret && use_broken) {
 	memset (&hints, 0, sizeof(hints));
 	hints.ai_socktype = SOCK_STREAM;
@@ -1027,6 +1046,7 @@
 			   cmd, cmd_len);
 	freeaddrinfo(ai);
     }
+#endif
     free(cmd);
     return ret;
 }
--- appl/rsh/rshd.c.orig
+++ b/appl/rsh/rshd.c
@@ -131,6 +131,7 @@
     fatal(s, NULL, "%s too long", expl);
 }
 
+#ifdef BROKEN_AUTH
 static int
 recv_bsd_auth (int s, u_char *buf,
 	       struct sockaddr_in *thisaddr,
@@ -152,6 +153,7 @@
 	fatal(s, NULL, "Login incorrect.");
     return 0;
 }
+#endif
 
 #ifdef KRB5
 static int
@@ -658,10 +660,11 @@
 	/*
 	 * we only do reserved port for IPv4
 	 */
-
+#ifdef BROKEN_AUTH
 	if (erraddr->sa_family == AF_INET)
 	    errsock = rresvport (&priv_port);
 	else
+#endif
 	    errsock = socket (erraddr->sa_family, SOCK_STREAM, 0);
 	if (errsock < 0)
 	    syslog_and_die ("socket: %s", strerror(errno));
@@ -689,6 +692,7 @@
 		syslog_and_die ("unrecognized auth protocol: %x %x %x %x",
 				buf[0], buf[1], buf[2], buf[3]);
     } else {
+#ifdef BROKEN_AUTH
 	if(recv_bsd_auth (s, buf,
 			  (struct sockaddr_in *)thisaddr,
 			  (struct sockaddr_in *)thataddr,
@@ -702,6 +706,9 @@
 	    }
 	} else
 	    syslog_and_die("recv_bsd_auth failed");
+#else
+	syslog_and_die("recv_bsd_auth is disabled for security reasons");
+#endif
     }
 
     if (client_user == NULL || server_user == NULL || cmd == NULL)