diff --git a/appl/rsh/rsh.c b/appl/rsh/rsh.c
index 23e8dd155..f038bedb6 100644
--- a/appl/rsh/rsh.c
+++ b/appl/rsh/rsh.c
@@ -50,6 +50,17 @@ des_cblock iv;
 #endif
 int sock_debug	     = 0;
 
+#ifdef KRB4
+static int use_v4 = -1;
+#endif
+static int use_v5 = -1;
+static int use_only_broken = 0;
+static int use_broken = 1;
+static char *port_str;
+static const char *user;
+static int do_version;
+static int do_help;
+static int do_errsock = 1;
 
 /*
  *
@@ -151,7 +162,7 @@ send_krb4_auth(int s,
 			   (struct sockaddr_in *)thataddr,
 			   KCMD_VERSION);
     if (status != KSUCCESS) {
-	warnx ("%s: %s", hostname, krb_get_err_text(status));
+	warnx("%s: %s", hostname, krb_get_err_text(status));
 	return 1;
     }
     memcpy (iv, cred.session, sizeof(iv));
@@ -296,7 +307,7 @@ send_krb5_auth(int s,
 			    NULL,
 			    NULL);
     if (status) {
-	warnx ("%s: %s", hostname, krb5_get_err_text(context, status));
+	warnx("%s: %s", hostname, krb5_get_err_text(context, status));
 	return 1;
     }
 
@@ -595,11 +606,6 @@ doit_broken (int argc,
     int error;
     char portstr[NI_MAXSERV];
 
-    if (priv_socket1 < 0) {
-	warnx ("unable to bind reserved port: is rsh setuid root?");
-	return 1;
-    }
-
     memset (&hints, 0, sizeof(hints));
     hints.ai_socktype = SOCK_STREAM;
     hints.ai_protocol = IPPROTO_TCP;
@@ -692,6 +698,7 @@ doit (const char *hostname,
     struct addrinfo hints;
     int error;
     char portstr[NI_MAXSERV];
+    int socketfailed = 1;
     int ret;
 
     memset (&hints, 0, sizeof(hints));
@@ -711,10 +718,16 @@ doit (const char *hostname,
 	int errsock;
 
 	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
-	if (s < 0)
+	if (s < 0) 
 	    continue;
+	socketfailed = 0;
 	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
-	    warn ("connect(%s)", hostname);
+	    char addr[128];
+	    if(getnameinfo(a->ai_addr, a->ai_addrlen, 
+			   addr, sizeof(addr), NULL, 0, NI_NUMERICHOST) == 0)
+		warn ("connect(%s [%s])", hostname, addr);
+	    else
+		warn ("connect(%s)", hostname);
 	    close (s);
 	    continue;
 	}
@@ -756,29 +769,18 @@ doit (const char *hostname,
 	close (s);
 	return ret;
     }
-    warnx ("failed to contact %s", hostname);
+    if(socketfailed)
+	warnx ("failed to contact %s", hostname);
     freeaddrinfo (ai);
     return -1;
 }
 
-#ifdef KRB4
-static int use_v4 = -1;
-#endif
-static int use_v5 = -1;
-static int use_only_broken = 0;
-static int use_broken = 1;
-static char *port_str;
-static const char *user;
-static int do_version;
-static int do_help;
-static int do_errsock = 1;
-
 struct getargs args[] = {
 #ifdef KRB4
     { "krb4",	'4', arg_flag,		&use_v4,	"Use Kerberos V4" },
 #endif
     { "krb5",	'5', arg_flag,		&use_v5,	"Use Kerberos V5" },
-    { "broken", 'K', arg_flag,		&use_only_broken, "Use priv port" },
+    { "broken", 'K', arg_flag,		&use_only_broken, "Use only priv port" },
     { NULL,	'd', arg_flag,		&sock_debug, "Enable socket debugging" },
     { "input",	'n', arg_negative_flag,	&input,		"Close stdin" },
     { "encrypt", 'x', arg_flag,		&do_encrypt,	"Encrypt connection" },
@@ -853,6 +855,14 @@ main(int argc, char **argv)
 		&optind))
 	usage (1);
 
+    if (do_help)
+	usage (0);
+
+    if (do_version) {
+	print_version (NULL);
+	return 0;
+    }
+	
     if (do_forwardable == -1)
 	do_forwardable = krb5_config_get_bool (context, NULL,
 					       "libdefaults",
@@ -867,11 +877,15 @@ main(int argc, char **argv)
     else if (do_forward == 0)
 	do_forwardable = 0;
 
-    if (do_encrypt == -1)
-	do_encrypt = krb5_config_get_bool (context, NULL,
-					   "libdefaults",
-					   "encrypt",
-					   NULL);
+    if (do_encrypt == -1) {
+	/* we want to tell the -x flag from the default encryption
+           option */
+	if(!krb5_config_get_bool (context, NULL,
+				  "libdefaults",
+				  "encrypt",
+				  NULL))
+	    do_encrypt = 0;
+    }
 
     if (do_forwardable)
 	do_forward = 1;
@@ -890,14 +904,16 @@ main(int argc, char **argv)
 	use_v5 = 0;
     }
 
-    if (do_help)
-	usage (0);
-
-    if (do_version) {
-	print_version (NULL);
-	return 0;
+    if(priv_socket1 < 0) {
+	if (use_only_broken)
+	    errx ("unable to bind reserved port: is rsh setuid root?");
+	use_broken = 0;
     }
-	
+
+    if (do_encrypt == 1 && use_broken)
+	errx (1, "encryption not supported with old style authentication");
+
+
     if (do_unique_tkfile && unique_tkfile != NULL)
 	errx (1, "Only one of -u and -U allowed.");
 
@@ -956,7 +972,7 @@ main(int argc, char **argv)
 	user = local_user;
 
     cmd_len = construct_command(&cmd, argc - optind, argv + optind);
-
+    
     /*
      * Try all different authentication methods
      */
@@ -999,8 +1015,6 @@ main(int argc, char **argv)
 	else
 	    tmp_port = krb5_getportbyname(context, "shell", "tcp", 514);
 	auth_method = AUTH_BROKEN;
-	if (do_encrypt)
-	    errx (1, "encryption not supported with priv port authentication");
 	ret = doit_broken (argc, argv, host_index, host,
 			   user, local_user,
 			   tmp_port,