{"id":51101641,"url":"https://github.com/atsuoishimoto/oidc-ssh-ca","last_synced_at":"2026-06-24T11:01:46.027Z","repository":{"id":364418609,"uuid":"1267041616","full_name":"atsuoishimoto/oidc-ssh-ca","owner":"atsuoishimoto","description":"A tiny SSH CA for CI/CD and ssh ops — issues short-lived SSH certificates from GitHub Actions OIDC. No long-lived keys in secrets.","archived":false,"fork":false,"pushed_at":"2026-06-20T00:58:46.000Z","size":278,"stargazers_count":3,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-20T02:07:52.351Z","etag":null,"topics":["ca","certificate-authority","github","github-actions","golang","oidc","ssh","ssh-key"],"latest_commit_sha":null,"homepage":"https://oidc-ssh-ca.readthedocs.io/en/latest/index.html","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/atsuoishimoto.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-12T07:02:23.000Z","updated_at":"2026-06-20T00:58:50.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/atsuoishimoto/oidc-ssh-ca","commit_stats":null,"previous_names":["atsuoishimoto/oidc-ssh-ca"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/atsuoishimoto/oidc-ssh-ca","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atsuoishimoto%2Foidc-ssh-ca","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atsuoishimoto%2Foidc-ssh-ca/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atsuoishimoto%2Foidc-ssh-ca/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atsuoishimoto%2Foidc-ssh-ca/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/atsuoishimoto","download_url":"https://codeload.github.com/atsuoishimoto/oidc-ssh-ca/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atsuoishimoto%2Foidc-ssh-ca/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34728928,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-24T02:00:07.484Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ca","certificate-authority","github","github-actions","golang","oidc","ssh","ssh-key"],"created_at":"2026-06-24T11:01:45.260Z","updated_at":"2026-06-24T11:01:45.987Z","avatar_url":"https://github.com/atsuoishimoto.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# oidc-ssh-ca\n\nA small SSH certificate authority that issues short-lived OpenSSH user\ncertificates to OIDC-authenticated callers — primarily GitHub Actions.\n\nInstead of storing a long-term SSH private key in GitHub Secrets, a workflow\ngenerates an ephemeral key pair on every run, proves its identity with the\nGitHub OIDC token, and receives a certificate valid for a few minutes.\nServers trust only the CA public key; there are no `authorized_keys` to\ndistribute, rotate, or clean up after a leak.\n\n```text\nGitHub Actions\n  │  GitHub OIDC JWT + ephemeral public key\n  ▼\noidc-ssh-ca  POST /sign\n  │  verify JWT → match policy.yaml → sign in memory\n  ▼\nshort-lived OpenSSH user certificate\n  │  ssh / ansible / rsync / scp\n  ▼\ntarget servers (trust only the CA public key)\n```\n\nThis is not a replacement for Vault, OpenBao, or Teleport. It is a small,\nsingle-binary tool that replaces long-lived SSH keys in GitHub Actions with\nshort-lived, OIDC-issued certificates.\n\nThe value is not just fewer keys. For a team that deploys to production from\nGitHub Actions, it makes a workflow's identity the unit of SSH authorization:\nwhat each run may do is decided by verified OIDC claims against a reviewable\n`policy.yaml`, every issued certificate is logged for audit, and key rotation\ncollapses onto the single CA key. See\n[Why teams adopt oidc-ssh-ca](https://oidc-ssh-ca.readthedocs.io/en/latest/why-teams.html)\nfor the operational case.\n\n\n## Workflow-scoped SSH permissions\n\noidc-ssh-ca can issue SSH certificates with a forced command based on\nGitHub Actions OIDC claims.\n\nThis means a workflow does not need general-purpose SSH access.\n\nFor example:\n\n- `deploy-prod.yml` can only run `/usr/local/bin/deploy-prod`\n- `restart-worker.yml` can only run `/usr/local/bin/restart-worker`\n- `collect-logs.yml` can only run `/usr/local/bin/collect-logs`\n\nEven if a certificate is leaked, it cannot be reused as a general SSH shell.\nIt is short-lived and restricted to the command encoded in the certificate.\n\n\n## Building from source\n\n`oidc-ssh-ca` is a single static Go binary with no cgo and no runtime\ndependencies; building it needs only the Go toolchain (1.22 or newer):\n\n```bash\ngo build -o oidc-ssh-ca ./cmd/oidc-ssh-ca   # build the binary\ngo test ./...                                # run the tests\n```\n\nOr install it straight onto your `PATH`:\n\n```bash\ngo install github.com/atsuoishimoto/oidc-ssh-ca/cmd/oidc-ssh-ca@latest\n```\n\nA multi-stage `Dockerfile` builds a distroless image (`docker build -t\noidc-ssh-ca .`). See the\n[build guide](https://oidc-ssh-ca.readthedocs.io/en/latest/building.html)\nfor cross-compilation, version stamping, and the container build.\n\n## Documentation\n\nThe full documentation is at\n**[oidc-ssh-ca.readthedocs.io](https://oidc-ssh-ca.readthedocs.io/)** —\nstart with the\n**[Quickstart](https://oidc-ssh-ca.readthedocs.io/en/latest/quickstart.html)**.\n\n- [Quickstart](https://oidc-ssh-ca.readthedocs.io/en/latest/quickstart.html) —\n  CA key, policy, server, sshd, and the GitHub Actions workflow, end to end\n- [Choosing a deployment](https://oidc-ssh-ca.readthedocs.io/en/latest/deployment/index.html) —\n  [Cloud Run](https://oidc-ssh-ca.readthedocs.io/en/latest/deployment/cloud-run.html) (recommended),\n  [Docker Compose + Caddy](https://oidc-ssh-ca.readthedocs.io/en/latest/deployment/docker-compose.html),\n  [AWS Lambda via CLI](https://oidc-ssh-ca.readthedocs.io/en/latest/deployment/lambda-cli.html) or\n  [Terraform](https://oidc-ssh-ca.readthedocs.io/en/latest/deployment/lambda-terraform.html), and\n  [systemd](https://oidc-ssh-ca.readthedocs.io/en/latest/deployment/systemd.html)\n- Reference —\n  [policy format](https://oidc-ssh-ca.readthedocs.io/en/latest/policy.html),\n  [the /sign API](https://oidc-ssh-ca.readthedocs.io/en/latest/api.html),\n  [commands](https://oidc-ssh-ca.readthedocs.io/en/latest/commands.html), and\n  [operations](https://oidc-ssh-ca.readthedocs.io/en/latest/operations.html)\n  (audit log, reload, emergency stop, key rotation)\n- [Testing](https://oidc-ssh-ca.readthedocs.io/en/latest/testing.html) —\n  running the test suite, including the local end-to-end tests with a mock\n  OIDC provider\n\nThe sources are in [`docs/`](docs/); to build locally:\n\n```bash\npip install -r docs/requirements.txt\nmake -C docs html    # docs/_build/html/index.html\n```\n\n## Status\n\nMVP plus AWS Lambda support (via the Lambda Web Adapter). GitHub Actions\nOIDC (RS256) is the\nsupported identity source; only `ssh-ed25519` keys are accepted for both\nthe CA and client keys. An Ansible role for target servers is included\n([`examples/ansible/`](examples/ansible/)). AWS IAM identity matching and Terraform modules\nare planned — see `.memo/memo.md` for the full design document.\n\n## Changelog\n\nSee the [release history](https://oidc-ssh-ca.readthedocs.io/en/latest/history.html).\n\n## License\n\n[MIT](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fatsuoishimoto%2Foidc-ssh-ca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fatsuoishimoto%2Foidc-ssh-ca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fatsuoishimoto%2Foidc-ssh-ca/lists"}