I would like to suggest that the amandad program, when operating in SSH authentication mode, be able to be passed the authenticated hostname as a command-line parameter. It would still do all the same checks that it already does, just that if those checks return a different hostname than that passed on the command line, it would fail. The use case here is that the command field in the authorized_keys file could then yield a cryptographically strong binding between peer key and authenticated hostname. In the absence of the command field, certainly the remote machine could provide a fake hostname (since it would then be able to specify a command line of its own choice), but this would not give it any additional privileges because, as I said earlier, it would still perform all the usual hostname checks, failing if any of them did not match the value passed on the command line.

I believe this would be the easiest way to achieve a cryptographically strong verification of a peer’s claimed hostname in an SSH-equipped environment. Thoughts?