opkssh (OpenPubkey SSH)

Go Coverage (https://github.com/openpubkey/opkssh/wiki/coverage.svg)

opkssh is a tool which enables ssh to be used with OpenID Connect allowing SSH access to be managed via identities like [email protected] instead of long-lived SSH keys. It does not replace SSH, but instead generates SSH public keys containing PK Tokens and configures sshd to verify them. These PK Tokens contain standard OpenID Connect ID Tokens (https://openid.net/specs/openid-connect-core-1_0.html). This protocol builds on the OpenPubkey (https://github.com/openpubkey/openpubkey/blob/main/README.md) which adds user public keys to OpenID Connect without breaking compatibility with existing OpenID Provider.

Currently opkssh is compatible with Google, Microsoft/Azure, Gitlab, hello.dev, and Authelia OpenID Providers (OP). See below for the entire list. If you have a gmail, microsoft or a gitlab account you can ssh with that account.

To ssh with opkssh you first need to download the opkssh binary and then run:

opkssh login

This opens a browser window where you can authenticate to your OpenID Provider. This will generate an SSH key in ~/.ssh/id_ecdsa which contains your OpenID Connect identity. Then you can ssh under this identity to any ssh server which is configured to use opkssh to authenticate users using their OpenID Connect identities.

ssh [email protected]

OpenPubkey Mailing List

For updates and announcements join the OpenPubkey mailing list. (https://groups.google.com/g/openpubkey)

Getting Started

To ssh with opkssh, Alice first needs to install opkssh using homebrew or manually downloading the binary.

Homebrew Install (macOS)

To install with homebrew run:

brew tap openpubkey/opkssh
brew install opkssh

Winget Install (Windows)

To install with winget run:

winget install openpubkey.opkssh

Chocolatey Install (Windows)

To install with Chocolatey (https://chocolatey.org/install) run:

choco install opkssh -y

Nix Install

Use the opkssh nixpkg (https://search.nixos.org/packages?channel=unstable&show=opkssh&query=opkssh) as normal, or test it via:

nix-shell -p opkssh

Manual Install (Windows, Linux, macOS)

To install manually, download the opkssh binary and run it:

To install on Windows run:

curl https://github.com/openpubkey/opkssh/releases/latest/download/opkssh-windows-amd64.exe -o opkssh.exe

To install on macOS run:

curl -L https://github.com/openpubkey/opkssh/releases/latest/download/opkssh-osx-amd64 -o opkssh; chmod +x opkssh

To install on linux, run:

curl -L https://github.com/openpubkey/opkssh/releases/latest/download/opkssh-linux-amd64 -o opkssh; chmod +x opkssh

or for ARM

curl -L https://github.com/openpubkey/opkssh/releases/latest/download/opkssh-linux-arm64 -o opkssh; chmod +x opkssh

SSHing with opkssh

After downloading opkssh run:

opkssh login

This opens a browser window to select which OpenID Provider you want to authenticate against. After successfully authenticating opkssh generates an SSH public key in ~/.ssh/id_ecdsa which contains your PK Token. By default this ssh key expires after 24 hours and you must run opkssh login to generate a new ssh key.

Since your PK Token has been saved as an SSH key you can SSH as normal:

ssh [email protected]

This works because SSH sends the public key written by opkssh in ~/.ssh/id_ecdsa to the server and sshd running on the server will send the public key to the opkssh command to verify. This also works for other protocols that build on ssh like sftp (https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol) or ssh tunnels.

sftp [email protected]

Custom key name

Instructions

SSH command

Tell opkssh to store the name the key-pair opkssh_server_group1

opkssh login -i opkssh_server_group1

Tell ssh to use the generated key pair.

ssh -o "IdentitiesOnly=yes" -i ~/.ssh/opkssh_server_group1 [email protected]

We recommend specifying -o "IdentitiesOnly=yes" as it tells ssh to only use the provided key. Otherwise ssh will cycle through other keys in ~/.ssh first and may not get to the specified ones. Servers are configured to only allow 6 attempts by default the config key is MaxAuthTries 6.

Installing on a Server

To configure a linux server to use opkssh simply run (with root level privileges):

wget -qO- "https://raw.githubusercontent.com/openpubkey/opkssh/main/scripts/install-linux.sh" | sudo bash

This downloads the opkssh binary, installs it as /usr/local/bin/opkssh, and then configures ssh to use opkssh as an additional authentication mechanism.

To allow a user, [email protected], to ssh to your server as root, run:

sudo opkssh add root [email protected] google

To allow a group, ssh-users, to ssh to your server as root, run:

sudo opkssh add root oidc:groups:ssh-users google

We can also enforce policy on custom claims. For instance to require that root access is only granted to users whose ID Token has a claim https://acme.com/groups with the value ssh-users run:

sudo opkssh add root oidc:\"https://acme.com/groups\":ssh-users google

which will add that line to your OPKSSH policy file.

How it works

We use two features of SSH to make this work. First we leverage the fact that SSH public keys can be SSH certificates and SSH Certificates support arbitrary extensions. This allows us to smuggle your PK Token, which includes your ID Token, into the SSH authentication protocol via an extension field of the SSH certificate. Second, we use the AuthorizedKeysCommand configuration option in sshd_config (see sshd_config manpage (https://man.openbsd.org/sshd_config.5#AuthorizedKeysCommand)) so that the SSH server will send the SSH certificate to an installed program that knows how to verify PK Tokens.

What is supported

Client support