On 7/28/20 04:29, Henry-Joseph Audéoud via aur-general wrote:
Luna is a host, AUR is a service.
Looks like Henry-Joseph beat me to it. I'm just here to confirm what he says and give a little more detail why. So yes, this exactly. "Host keys" are named as such because they identify which machine - their primary purpose is to try to identify and thwart MitM attacks. There is no offered public key server-side for *users* (services, in this case, running as a specific user), only hosts. The host key changing with the AUR migration is best practice, as it has been split off and is now indeed on a different host. It is, in fact, considered *poor* practice explicitly for more than one machine to share the same host key unless they are intended to act as a sort of load-balanced implementation or the like.
With HTTPS, one can configure the host to provide the *service* server-side certificate depending on the "Host:" header. E. g., appolo providing a certificate dedicated to the archlinux wiki service, even though it may host many other services.
Here, with SSH, the service requested is deduced from the login: "aur@…". I do not know any configuration option to change the SSH host key depending on the login (service) requested by the client.
Also correct. SSH (as a protocol, not even specific implementations), as much as I'd like it to, does not offer any sort of "virtual hosting" capabilities (as the host is not even sent by the client, so even if it was supported server-side the daemon would have no method of determining which virtual host to serve, and there are parts of the SSH encryption handshaking done before that is even handled).[0] [0] https://serverfault.com/a/610971/103116 -- brent saner https://square-r00t.net/ GPG info: https://square-r00t.net/gpg-info