> SSH will be more secure against those not knowing how to spoof > usernames and against those giving their keys away if it can limit > the use of keys only to specific users. A client username check is nearly or totally useless for RSA authentication; you have no assurance that the client username is accurate (if it is even provided by the protocol with RSA authentication). A hostname check is potentially useful if done carefully (i.e. without trusting PTR records in the DNS), since it's mildly hard to spoof TCP and DNS. But it's still not very strong. > Looking at it from another view, will such a patch /decrease/ SSH > security? Yes, it will. Any increase in the complexity of a security system decreases its security. Maybe this patch wouldn't immediately add vulnerabilities to ssh, but it would incrementally decrease the maintainers' ability to prevent vulnerabilities in the future.
