Cloudflare Unveils OPKSSH for SSH Authentication via OIDC

Cloudflare has unveiled OPKSSH (Openpubkey SSH), a tool that enables centralized authentication integration with providers such as Openid Connect. OPKSSH eliminates the need for manual SSH key management and setup, allowing server connection from any host without the hassle of creating keys on each client machine or manually copying keys to the server. Users can simply perform a binding on the server for an account through the Openid provider. The tool is written in Go and available under the Apache 2.0 license.

OPKSSH is compatible with Google, Microsoft/Azure, and Gitlab Openid Providers, enabling login through accounts on Gmail.com, Microsoft.com, and Gitlab.com. OPKSSH generates temporary keys based on confirmation from the Openid provider, rather than using time-unlimited keys. Key validity is set to 24 hours by default, after which re-authentication through Openid is required to generate a new key.

The integration with Openssh is achieved through SSH protocol extensions that allow attaching data to SSH certificates. After Openid authentication, the client generates an open key with a PK token confirming the user’s identity. The token is integrated into the SSH protocol through an additional certificate data field. Digital signatures are used in Openpubkey to generate and verify keys associated with tokens issued by the Openid Provider, ensuring that the key was created by the authenticated user.

For example, the Google Openid Provider can confirm that a user is authenticated as [email protected]. The server verifies the attached token to ensure that the user [email protected] created the open key for the SSH client. This method enhances security by requiring verification of the user’s identity for key generation.



/Reports, release notes, official announcements.