ContextQMD
Back to Microsandbox

External Clients

docs/sandboxes/ssh/external-clients.mdx

0.5.11.7 KB
Original Source

External client mode exposes a sandbox as an SSH server for tools that already speak SSH. This is the closest match for normal SSH usage: authorize a public key, serve the sandbox, then connect with ssh or sftp.

Authorize a key

bash
msb ssh authorize --file ~/.ssh/id_ed25519.pub
msb ssh authorize --key "ssh-ed25519 AAAA... user@host"
cat ~/.ssh/id_ed25519.pub | msb ssh authorize --stdin

Keys are appended to <MSB_HOME>/ssh/authorized_keys. Existing keys are deduplicated by public-key material.

TCP listener

bash
msb ssh serve devbox

The default listener is 127.0.0.1:2222.

bash
ssh -p 2222 [email protected]
sftp -P 2222 [email protected]

Choose a different bind address or port when needed:

bash
msb ssh serve devbox --host 127.0.0.1 --port 2223
<Note> Binding to `0.0.0.0` exposes the SSH listener beyond the local machine. Keep the default loopback bind unless you intentionally want remote clients to connect. </Note>

ProxyCommand

--stdio serves one SSH transport over stdin/stdout. Use it when the SSH client should spawn msb as its transport bridge instead of connecting to a TCP listener.

sshconfig
Host devbox.msb
  User root
  ProxyCommand msb ssh serve devbox --stdio

Then use regular OpenSSH commands:

bash
ssh devbox.msb
sftp devbox.msb

SDK server endpoints

The Rust SDK exposes the general form: prepare an SSH server endpoint, then pass each ordered duplex stream to serve(stream).

rust
let server = sandbox
    .ssh()
    .server_with(|ssh| ssh.sftp(true))
    .await?;

server.serve(stream).await?;

The TypeScript, Python, and Go SDKs expose stdio server helpers for process-bridge use cases. See the SDK reference pages for the exact language-specific surface.