On Monday, August 25, 2003 15:45:47 -0700 Joseph Salowey <jsalowey%cisco.com@localhost> wrote:
It would help, especially in the case of kerberos. However it does not completly solve the problem and I'm not sure it would help with other GSSAPI mechanisms (with some mechanisms this mey not be a problem anyway). I think sending the Session ID in the MIC is a better solution.
So do I. The use of the "host" service name for ssh is appropriate, and is exactly the sort of usage for which that service name was designed. For some mechanisms, such as Kerberos, changing it to something else would effectively require maintaining a separate set of 'ssh' service keys for each machine in addition to the 'host' keys they already have, creating a key management problem where we had hoped to solve one. It would also create a significant interoperability problem with currently-deployed clients and servers.