This blog is now 11 years old and I've been thinking about a comment system for some time. I don't want to use Disqus or any other third party comment system because I don't want to give away my visitors data and I don't want to have any external dependencies.
So usually my posts are discussed on reddit or hackernews so there wasn't really a need for a comment system at all but I had an idea in the back of my head since 2015.
SSH as an authentication system for the web?
In 2015 I read an article (hn discussion) that was using SSH as a sort-of 2fa for websites where you needed to SSH into a server, which gave you a link with a token that allowed you to sign into the site.
I wondered if I could make a comment system for this blog using SSH.
How does it work as a comment system?
The idea is simple: You give users a SSH server to connect to which presents them with a simple UI which then stores the comment in a database and displays it on the blog.
In the current implementation you don't need to register your SSH key as I'm using a heavily modified openssh Server where every available username coresponds to a blog post. So you can comment on this post using
ssh email@example.com where you will be greeted with a message and asked to choose a name and write a comment.
The SSH server is running a program instead of a shell so for every connection an instance of the
blogshell is run and presented to the user. When this
blogshell exits, the connection is closed automatically.
How does it know where to add the comment?
The SSH server automatically creates a user for every post on this blog. Each post has a unique identifier which I can use for this like for example this post's unique identifier is called
So the comment section in the end of each post gives you the correct command to comment on each post.
Is using SSH protecting against spam?
Probably not since every bot could also post via SSH. Everyone who hosts an SSH server on the web knows how many automated attacks happen every day. I obviously did implement a few safety measures based on the IP of users though.
That said it's probably that extra step from your browser to a terminal and logging into the server that might filter out low effort comments but we'll see if that's true.
Where to go from here
This way of writing comments to websites is currently only a novelty and a fun hack.
I have many ideas to further improve this system like commenting on other comments and registering SSH keys for consistent identity across posts and editing of existing comments.
I will publish the blueprints (source for the docker container) shortly and will update this post