Index: server/common/patches/openssh-5.0p1-multihomed.patch
===================================================================
--- server/common/patches/openssh-5.0p1-multihomed.patch	(revision 760)
+++ server/common/patches/openssh-5.0p1-multihomed.patch	(revision 760)
@@ -0,0 +1,62 @@
+# OpenSSH multihomed patch
+#
+# Anders Kaseorg <andersk@mit.edu>
+# ported from 4.5 to 5.0 by Joe Presbrey <presbrey@mit.edu>
+diff -ur openssh-5.0p1.orig/gss-serv.c openssh-5.0p1/gss-serv.c
+--- openssh-5.0p1.orig/gss-serv.c	2008-05-20 00:00:00.000000000 -0400
++++ openssh-5.0p1/gss-serv.c	2008-05-20 00:00:00.000000000 -0400
+@@ -77,22 +77,11 @@
+ ssh_gssapi_acquire_cred(Gssctxt *ctx)
+ {
+ 	OM_uint32 status;
+-	char lname[MAXHOSTNAMELEN];
+ 	gss_OID_set oidset;
+ 
+ 	gss_create_empty_oid_set(&status, &oidset);
+ 	gss_add_oid_set_member(&status, ctx->oid, &oidset);
+ 
+-	if (gethostname(lname, MAXHOSTNAMELEN)) {
+-		gss_release_oid_set(&status, &oidset);
+-		return (-1);
+-	}
+-
+-	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
+-		gss_release_oid_set(&status, &oidset);
+-		return (ctx->major);
+-	}
+-
+ 	if ((ctx->major = gss_acquire_cred(&ctx->minor,
+ 	    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
+ 		ssh_gssapi_error(ctx);
+@@ -102,6 +102,8 @@
+ {
+ 	OM_uint32 status;
+ 	gss_OID mech;
++	gss_name_t acceptor_name = GSS_C_NO_NAME;
++	gss_buffer_desc acceptor_name_buffer = GSS_C_EMPTY_BUFFER;
+ 
+ 	ctx->major = gss_accept_sec_context(&ctx->minor,
+ 	    &ctx->context, ctx->creds, recv_tok,
+@@ -116,6 +118,22 @@
+ 	else
+ 		debug("Got no client credentials");
+ 
++	ctx->major = gss_inquire_context(&ctx->minor, ctx->context, NULL, &acceptor_name, NULL, NULL, NULL, NULL, NULL);
++
++	if (GSS_ERROR(ctx->major)) {
++		ssh_gssapi_error(ctx);
++	} else {
++		ctx->major = gss_display_name(&ctx->minor, acceptor_name, &acceptor_name_buffer, NULL);
++
++		if (GSS_ERROR(ctx->major)) {
++			ssh_gssapi_error(ctx);
++		} else if (acceptor_name_buffer.length < 5 || strncmp(acceptor_name_buffer.value, "host@", 5) != 0 && strncmp(acceptor_name_buffer.value, "host/", 5) != 0) {
++			debug("Accepting credential '%s' was not for the host service.", acceptor_name_buffer.value);
++			ctx->major = GSS_S_BAD_NAME;
++		} 
++	}
++	gss_release_buffer(&status, &acceptor_name_buffer);
++	gss_release_name(&status, &acceptor_name);
+ 	status = ctx->major;
+ 
+ 	/* Now, if we're complete and we have the right flags, then