OpenSSH Key Storage

[Carson Gaspar]

If you want to bind identity to a server, you have only 2 valid options:

- Pass the server's identity in-band, and have the client use that when 
validating keys. This avoids a layering violation.
- Have the client validate the key against the layer 3/4 info - i.e. the 
IP:PORT pair.

Nothing else is sane. Servers on different ports are different servers, 
that may, or may not, have the same keys. Requiring config file gymnastics 
is bogus.

Sadly, after reading the RFC, it looks like the server never sends its name 
during the key exchange, making the first (and better) option impossible. I 
hope I'm wrong and just mis-understood the documents.

-- 
Carson