mte/2025_04_26_bluesky-ssh-authentication-2.json at main · anil.recoil.org/thicket-eeg

Thicket data repository for the EEG
thicket-eeg / mte / 2025_04_26_bluesky-ssh-authentication-2.json
at main 3.4 kB view raw
 1{
 2  "id": "https://www.tunbury.org/2025/04/26/bluesky-ssh-authentication-2",
 3  "title": "Bluesky SSH Authentication #2",
 4  "link": "https://www.tunbury.org/2025/04/26/bluesky-ssh-authentication-2/",
 5  "updated": "2025-04-26T00:00:00",
 6  "published": "2025-04-26T00:00:00",
 7  "summary": "Addressing the glaring omissions from yesterday’s proof of concept, such as the fact that you could sign in as any user, you couldn’t revoke access, all hosts had the same users, and there was no mapping between Bluesky handles and POSIX users, I have updated mtelvers/bluesky-ssh-key-extractor and newly published mtelvers/bluesky-collection.",
 8  "content": "<p>Addressing the glaring omissions from yesterday’s proof of concept, such as the fact that you could sign in as any user, you couldn’t revoke access, all hosts had the same users, and there was no mapping between Bluesky handles and POSIX users, I have updated <a href=\"https://github.com/mtelvers/bluesky-ssh-key-extractor\">mtelvers/bluesky-ssh-key-extractor</a> and newly published <a href=\"https://github.com/mtelvers/bluesky-collection.git\">mtelvers/bluesky-collection</a>.</p>\n\n<p>The tool creates ATProto collections using <code>app.bsky.graph.list</code> and populates them with <code>app.bsky.graph.listitem</code> records.</p>\n\n<p>Each list should be named with a friendly identifier such as the FQDN of the host being secured. List entries have a <code>subject_did</code>, which is the DID of the user you are giving access to, and a <code>displayName</code>, which is used as the POSIX username on the system you are connecting to.</p>\n\n<p>A typical usage would be creating a collection and adding records. Here I have made a collection called <code>rosemary.caelum.ci.dev</code> and then added to users <code>anil.recoil.org</code> and <code>mtelvers.tunbury.org</code> with POSIX usernames of <code>avsm2</code> and <code>mte24</code> respectively. Check my <a href=\"https://www.atproto-browser.dev/at/did:plc:476rmswt6ji7uoxyiwjna3ti\">Bluesky record</a>)</p>\n\n<div><div><pre><code>bluesky_collection create --handle mtelvers.tunbury.org --password *** --collection rosemary.caelum.ci.dev\nbluesky_collection add --handle mtelvers.tunbury.org --password *** --collection rosemary.caelum.ci.dev --user-handle anil.recoil.org --user-id avsm2\nbluesky_collection add --handle mtelvers.tunbury.org --password *** --collection rosemary.caelum.ci.dev --user-handle mtelvers.tunbury.org --user-id mte24\n</code></pre></div></div>\n\n<p>When authenticating using SSHD, the companion tool <a href=\"https://github.com/mtelvers/bluesky-ssh-key-extractor\">mtelvers/bluesky-ssh-key-extractor</a> would have command line parameters of the Bluesky user account holding the collection, collection name (aka the hostname), and the POSIX username (provided by SSHD). The authenticator queries the Bluesky network to find the collection matching the FQDN, then finds the list entries comparing them to the POSIX user given. If there is a match, the <code>subject_did</code> is used to look up the associated <code>sh.tangled.publicKey</code>.The authenticator requires no password to access Bluesky, as all the records are public.</p>",
 9  "content_type": "html",
10  "author": {
11    "name": "Mark Elvers",
12    "email": "mark.elvers@tunbury.org",
13    "uri": null
14  },
15  "categories": [
16    "bluesky,sshd",
17    "tunbury.org"
18  ],
19  "source": "https://www.tunbury.org/atom.xml"
20}