RE: [saag] draft-kwatsen-reverse-ssh submission for review

[Kent Watsen <kwatsen%juniper.net@localhost>]

> dfawcus%cisco.com@localhost writes: 
>
> The ssh protocols are largely symmetrical,  as I recall it should be possible
> to flip roles once transport has completed,  but before userauth or connection
> are started.

If the application (using nomenclature from the draft) logs into the device via userauth, then it follows that the device has to be the peer that presents its host-key during the diffie-helman key exchange.  Thus the role-flip has to occur either before the transport protocol begins, as proposed by this draft, or at the very beginning of the transport protocol (i.e. tap into the reserved uint32 in the SSH_MSG_KEXINIT message).  

Whether the roles are negotiated in-band or flipped prior to the start of the SSH protocol, the goal is for the device to always be the SSH server and the application to always be the SSH client.


PS: BCC-ing SAAG list, per der Mouse's suggestion

Thanks,
Kent