anil.recoil.org / thicket-eeg
Thicket data repository for the EEG
fork atom
thicket-eeg / mte / 2025_04_25_bluesky-ssh-authentication.json
at main 3.0 kB view raw
1{ 2 "id": "https://www.tunbury.org/2025/04/25/bluesky-ssh-authentication", 3 "title": "Bluesky SSH Authentication", 4 "link": "https://www.tunbury.org/2025/04/25/bluesky-ssh-authentication/", 5 "updated": "2025-04-25T15:00:00", 6 "published": "2025-04-25T15:00:00", 7 "summary": "If you have sign up to tangled.sh you will have published your SSH public key on the Bluesky ATproto network. Have a browse to your Bluesky ID, or mine. Look under sh.tangled.publicKey.", 8 "content": "<p>If you have sign up to <a href=\"https://tangled.sh\">tangled.sh</a> you will have published your SSH public key on the Bluesky ATproto network. Have a browse to your Bluesky ID, or <a href=\"https://www.atproto-browser.dev/at/did:plc:476rmswt6ji7uoxyiwjna3ti\">mine</a>. Look under <code>sh.tangled.publicKey</code>.</p>\n\n<p><a href=\"https://github.com/mtelvers/bluesky-ssh-key-extractor.git\">BlueSky ATproto SSH Public Key Extractor</a> extracts this public key information and outputs one public key at a time. The format is suitable to use with the <code>AuthorizedKeysCommand</code> parameter in your <code>/etc/sshd/ssh_config</code> file.</p>\n\n<p>Build the project:</p>\n\n<div><div><pre><code>opam <span>install</span> <span>.</span> <span>-deps-only</span>\ndune build\n</code></pre></div></div>\n\n<p>Install the binary by copying it to the local system. Setting the ownership and permissions is essential.</p>\n\n<div><div><pre><code><span>cp </span>_build/install/default/bin/bluesky-ssh-key-extractor /usr/local/bin\n<span>chmod </span>755 /usr/local/bin/bluesky-ssh-key-extractor\n<span>chown </span>root:root /usr/local/bin/bluesky-ssh-key-extractor\n</code></pre></div></div>\n\n<p>Test the command is working:</p>\n\n<div><div><pre><code><span>$ </span>bluesky-ssh-key-extractor mtelvers.tunbury.org\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7UrJmBFWR3c7jVzpoyg4dJjON9c7t9bT9acfrj6G7i mark.elvers@tunbury.org\n</code></pre></div></div>\n\n<p>If that works, then edit your <code>/etc/sshd/ssh_config</code>:-</p>\n\n<div><div><pre><code>AuthorizedKeysCommand /usr/local/bin/bluesky-ssh-key-extractor your_bluesky_handle\nAuthorizedKeysCommandUser nobody\n</code></pre></div></div>\n\n<p>Now you should be able to SSH to the machine using your published key</p>\n\n<div><div><pre><code>ssh root@your_host\n</code></pre></div></div>\n\n<blockquote>\n <p>Note, this program was intended as a proof of concept rather than something you’d actually use.</p>\n</blockquote>\n\n<p>If you have a 1:1 mapping, between Bluesky accounts and system usernames, you might get away with:</p>\n\n<div><div><pre><code>AuthorizedKeysCommand /usr/local/bin/bluesky-ssh-key-extractor %u.bsky.social\nAuthorizedKeysCommandUser nobody\n</code></pre></div></div>", 9 "content_type": "html", 10 "author": { 11 "name": "Mark Elvers", 12 "email": "mark.elvers@tunbury.org", 13 "uri": null 14 }, 15 "categories": [ 16 "bluesky,sshd", 17 "tunbury.org" 18 ], 19 "source": "https://www.tunbury.org/atom.xml" 20}