[aur-general] [arch-dev-public] AUR migration

brent s. bts at square-r00t.net
Tue Jul 28 15:13:09 UTC 2020

On 7/28/20 04:29, Henry-Joseph Audéoud via aur-general wrote:
> Luna is a host, AUR is a service.

Looks like Henry-Joseph beat me to it. I'm just here to confirm what he
says and give a little more detail why.

So yes, this exactly. "Host keys" are named as such because they
identify which machine - their primary purpose is to try to identify and
thwart MitM attacks. There is no offered public key server-side for
*users* (services, in this case, running as a specific user), only hosts.

The host key changing with the AUR migration is best practice, as it has
been split off and is now indeed on a different host. It is, in fact,
considered *poor* practice explicitly for more than one machine to share
the same host key unless they are intended to act as a sort of
load-balanced implementation or the like.

> With HTTPS, one can configure the host to provide the *service*
> server-side certificate depending on the "Host:" header.  E. g., appolo
> providing a certificate dedicated to the archlinux wiki service, even
> though it may host many other services.
> Here, with SSH, the service requested is deduced from the login:
> "aur@…".  I do not know any configuration option to change the SSH host
> key depending on the login (service) requested by the client.

Also correct. SSH (as a protocol, not even specific implementations), as
much as I'd like it to, does not offer any sort of "virtual hosting"
capabilities (as the host is not even sent by the client, so even if it
was supported server-side the daemon would have no method of determining
which virtual host to serve, and there are parts of the SSH encryption
handshaking done before that is even handled).[0]

[0] https://serverfault.com/a/610971/103116

brent saner
GPG info: https://square-r00t.net/gpg-info

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20200728/73c164aa/attachment.sig>

More information about the aur-general mailing list