{"id":26889704,"url":"https://github.com/openpubkey/opkssh","last_synced_at":"2026-01-23T20:40:38.779Z","repository":{"id":282741088,"uuid":"949493073","full_name":"openpubkey/opkssh","owner":"openpubkey","description":"opkssh (OpenPubkey SSH)","archived":false,"fork":false,"pushed_at":"2026-01-19T21:55:34.000Z","size":32118,"stargazers_count":1800,"open_issues_count":63,"forks_count":86,"subscribers_count":15,"default_branch":"main","last_synced_at":"2026-01-20T00:47:27.404Z","etag":null,"topics":["oidc","openid-connect","ssh","ssh-keys"],"latest_commit_sha":null,"homepage":"https://eprint.iacr.org/2023/296","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/openpubkey.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE-OF-CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-03-16T15:32:26.000Z","updated_at":"2026-01-19T23:48:52.000Z","dependencies_parsed_at":"2025-07-04T15:57:39.347Z","dependency_job_id":"10dd6748-33a6-4c0a-a19a-99dc5c72bbb1","html_url":"https://github.com/openpubkey/opkssh","commit_stats":null,"previous_names":["openpubkey/opkssh"],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/openpubkey/opkssh","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openpubkey%2Fopkssh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openpubkey%2Fopkssh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openpubkey%2Fopkssh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openpubkey%2Fopkssh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/openpubkey","download_url":"https://codeload.github.com/openpubkey/opkssh/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openpubkey%2Fopkssh/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28699712,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-23T17:25:48.045Z","status":"ssl_error","status_checked_at":"2026-01-23T17:25:47.153Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["oidc","openid-connect","ssh","ssh-keys"],"created_at":"2025-03-31T21:01:48.620Z","updated_at":"2026-01-23T20:40:38.773Z","avatar_url":"https://github.com/openpubkey.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# opkssh (OpenPubkey SSH)\n\n[![Go Coverage](https://github.com/openpubkey/opkssh/wiki/coverage.svg)](https://raw.githack.com/wiki/openpubkey/opkssh/coverage.html)\n\n**opkssh** is a tool which enables ssh to be used with OpenID Connect allowing SSH access to be managed via identities like `alice@example.com` instead of long-lived SSH keys.\nIt does not replace SSH, but instead generates SSH public keys containing PK Tokens and configures sshd to verify them. These PK Tokens contain standard [OpenID Connect ID Tokens](https://openid.net/specs/openid-connect-core-1_0.html). This protocol builds on the [OpenPubkey](https://github.com/openpubkey/openpubkey/blob/main/README.md) which adds user public keys to OpenID Connect without breaking compatibility with existing OpenID Provider.\n\nCurrently opkssh is compatible with Google, Microsoft/Azure, Gitlab, hello.dev, and Authelia OpenID Providers (OP). See below for the entire list. If you have a gmail, microsoft or a gitlab account you can ssh with that account.\n\nTo ssh with opkssh you first need to download the opkssh binary and then run:\n\n```bash\nopkssh login\n```\n\nThis opens a browser window where you can authenticate to your OpenID Provider. This will generate an SSH key in `~/.ssh/id_ecdsa` which contains your OpenID Connect identity.\nThen you can ssh under this identity to any ssh server which is configured to use opkssh to authenticate users using their OpenID Connect identities.\n\n```bash\nssh user@example.com\n```\n\n### OpenPubkey Mailing List\nFor updates and announcements join the [OpenPubkey mailing list.](https://groups.google.com/g/openpubkey)\n\n## Getting Started\n\nTo ssh with opkssh, Alice first needs to install opkssh using homebrew or manually downloading the binary.\n\n### Homebrew Install (macOS)\n\nTo install with homebrew run:\n\n```bash\nbrew tap openpubkey/opkssh\nbrew install opkssh\n```\n\n### Winget Install (Windows)\n\nTo install with winget run:\n\n```powershell\nwinget install openpubkey.opkssh\n```\n\n### Chocolatey Install (Windows)\n\nTo install with [Chocolatey](https://chocolatey.org/install) run:\n\n```powershell\nchoco install opkssh -y\n```\n\n### Nix Install\n\nUse the [opkssh nixpkg](https://search.nixos.org/packages?channel=unstable\u0026show=opkssh\u0026query=opkssh) as normal, or test it via:\n\n```bash\nnix-shell -p opkssh\n```\n\n### Manual Install (Windows, Linux, macOS)\n\nTo install manually, download the opkssh binary and run it:\n\n| | Download URL |\n|-----------|--------------|\n|🐧 Linux (x86_64) | [github.com/openpubkey/opkssh/releases/latest/download/opkssh-linux-amd64](https://github.com/openpubkey/opkssh/releases/latest/download/opkssh-linux-amd64) |\n|🐧 Linux (ARM64/aarch64) | [github.com/openpubkey/opkssh/releases/latest/download/opkssh-linux-arm64](https://github.com/openpubkey/opkssh/releases/latest/download/opkssh-linux-arm64) |\n|🍎 macOS (x86_64) | [github.com/openpubkey/opkssh/releases/latest/download/opkssh-osx-amd64](https://github.com/openpubkey/opkssh/releases/latest/download/opkssh-osx-amd64) |\n|🍎 macOS (ARM64/aarch64) | [github.com/openpubkey/opkssh/releases/latest/download/opkssh-osx-arm64](https://github.com/openpubkey/opkssh/releases/latest/download/opkssh-osx-arm64) |\n| ⊞ Win | [github.com/openpubkey/opkssh/releases/latest/download/opkssh-windows-amd64.exe](https://github.com/openpubkey/opkssh/releases/latest/download/opkssh-windows-amd64.exe) |\n\nTo install on Windows run:\n\n```powershell\ncurl https://github.com/openpubkey/opkssh/releases/latest/download/opkssh-windows-amd64.exe -o opkssh.exe\n```\n\nTo install on macOS run:\n\n```bash\ncurl -L https://github.com/openpubkey/opkssh/releases/latest/download/opkssh-osx-amd64 -o opkssh; chmod +x opkssh\n```\n\nTo install on linux, run:\n\n```bash\ncurl -L https://github.com/openpubkey/opkssh/releases/latest/download/opkssh-linux-amd64 -o opkssh; chmod +x opkssh\n```\n\nor for ARM\n\n```bash\ncurl -L https://github.com/openpubkey/opkssh/releases/latest/download/opkssh-linux-arm64 -o opkssh; chmod +x opkssh\n```\n\n### SSHing with opkssh\n\nAfter downloading opkssh run:\n\n```cmd\nopkssh login\n```\n\nThis opens a browser window to select which OpenID Provider you want to authenticate against.\nAfter successfully authenticating opkssh generates an SSH public key in `~/.ssh/id_ecdsa` which contains your PK Token.\nBy default this ssh key expires after 24 hours and you must run `opkssh login` to generate a new ssh key.\n\nSince your PK Token has been saved as an SSH key you can SSH as normal:\n\n```bash\nssh root@example.com\n```\n\nThis works because SSH sends the public key written by opkssh in `~/.ssh/id_ecdsa` to the server and sshd running on the server will send the public key to the opkssh command to verify. This also works for other protocols that build on ssh like [sftp](https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol) or ssh tunnels.\n\n```bash\nsftp root@example.com\n```\n\n### Custom key name\n\n\u003cdetails\u003e\n\u003csummary\u003eInstructions\u003c/summary\u003e\n\n#### SSH command\n\nTell opkssh to store the name the key-pair `opkssh_server_group1`\n\n```cmd\nopkssh login -i opkssh_server_group1\n```\n\nTell ssh to use the generated key pair.\n\n```bash\nssh -o \"IdentitiesOnly=yes\" -i ~/.ssh/opkssh_server_group1 root@example.com\n```\n\nWe recommend specifying `-o \"IdentitiesOnly=yes\"` as it tells ssh to only use the provided key. Otherwise ssh will cycle through other keys in `~/.ssh` first and may not get to the specified ones. Servers are configured to only allow 6 attempts by default the config key is `MaxAuthTries 6`.\n\n\u003c/details\u003e\n\n### Installing on a Server\n\nTo configure a linux server to use opkssh simply run (with root level privileges):\n\n```bash\nwget -qO- \"https://raw.githubusercontent.com/openpubkey/opkssh/main/scripts/install-linux.sh\" | sudo bash\n```\n\nThis downloads the opkssh binary, installs it as `/usr/local/bin/opkssh`, and then configures ssh to use opkssh as an additional authentication mechanism.\n\nTo allow a user, `alice@gmail.com`, to ssh to your server as `root`, run:\n\n```bash\nsudo opkssh add root alice@gmail.com google\n```\n\nTo allow a group, `ssh-users`, to ssh to your server as `root`, run:\n\n```bash\nsudo opkssh add root oidc:groups:ssh-users google\n```\n\nWe can also enforce policy on custom claims.\nFor instance to require that root access is only granted to users whose ID Token has a claim `https://acme.com/groups` with the value `ssh-users` run:\n\n```bash\nsudo opkssh add root oidc:\\\"https://acme.com/groups\\\":ssh-users google\n```\n\nwhich will add that line to your OPKSSH policy file.\n\n## How it works\n\nWe use two features of SSH to make this work.\nFirst we leverage the fact that SSH public keys can be SSH certificates and SSH Certificates support arbitrary extensions.\nThis allows us to smuggle your PK Token, which includes your ID Token, into the SSH authentication protocol via an extension field of the SSH certificate.\nSecond, we use the `AuthorizedKeysCommand` configuration option in `sshd_config` (see [sshd_config manpage](https://man.openbsd.org/sshd_config.5#AuthorizedKeysCommand)) so that the SSH server will send the SSH certificate to an installed program that knows how to verify PK Tokens.\n\n## What is supported\n\n### Client support\n\n| OS | Supported | Tested | Version Tested |\n| --------- | -------- | ------- | ----------------------- |\n| Linux | ✅ | ✅ | Ubuntu 24.04.1 LTS |\n| macOS | ✅ | ✅ | macOS 15.3.2 (Sequoia) |\n| Windows11 | ✅ | ✅ | Windows 11 |\n\n### Server support\n\n| OS | Supported | Tested | Version Tested | Possible Future Support |\n| ---------------- | -------- | ------ | ---------------------- | ----------------------- |\n| Linux | ✅ | ✅ | Ubuntu 24.04.1 LTS | - |\n| Linux | ✅ | ✅ | Centos 9 | - |\n| Linux | ✅ | ✅ | Arch Linux | - |\n| Linux | ✅ | ✅ | opensuse leap 16 | - |\n| macOS | ❌ | ❌ | - | Likely |\n| Windows11 | ❌ | ❌ | - | Likely |\n\n## Server Configuration\n\nAll opkssh configuration files are space delimited and live on the server.\nBelow we discuss our basic policy system, to read how to configure complex policies rules see our [documentation on our policy plugin system](docs/policyplugins.md). Using the policy plugin system you can enforce any policy rule that be computed on a [Turing Machine](https://en.wikipedia.org/wiki/Turing_machine).\n\n### `/etc/opk/providers`\n\n`/etc/opk/providers` contains a list of allowed OPs (OpenID Providers), a.k.a. IDPs.\nThis file functions as an access control list that enables admins to determine the OpenID Providers and Client IDs they wish to rely on.\n\n- Column 1: Issuer URI of the OP\n- Column 2: Client-ID, the audience claim in the ID Token\n- Column 3: Expiration policy, options are:\n - `12h` - user's ssh public key expires after 12 hours,\n - `24h` - user's ssh public key expires after 24 hours,\n - `48h` - user's ssh public key expires after 48 hours,\n - `1week` - user's ssh public key expires after 1 week,\n - `oidc` - user's ssh public key expires when the ID Token expires\n - `oidc-refreshed` - user's ssh public key expires when their refreshed ID Token expires.\n\nBy default we use `24h` as it requires that the user authenticate to their OP once a day. Most OPs expire ID Tokens every one to two hours, so if `oidc` the user will have to sign multiple times a day. `oidc-refreshed` is supported but complex and not currently recommended unless you know what you are doing.\n\nThe default values for `/etc/opk/providers` are:\n\n```bash\n# Issuer Client-ID expiration-policy\nhttps://accounts.google.com 206584157355-7cbe4s640tvm7naoludob4ut1emii7sf.apps.googleusercontent.com 24h\nhttps://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0 096ce0a3-5e72-4da8-9c86-12924b294a01 24h\n```\n\n`/etc/opk/providers` requires the following permissions (by default we create all configuration files with the correct permissions):\n\n```bash\nsudo chown root:opksshuser /etc/opk/providers\nsudo chmod 640 /etc/opk/providers\n```\n\n### `/etc/opk/auth_id`\n\n`/etc/opk/auth_id` is the global authorized identities file.\nThis is a server wide file where policies can be configured to determine which identities can assume what linux user accounts.\nLinux user accounts are typically referred to in SSH as *principals* and we continue the use of this terminology.\n\n- Column 1: The principal, i.e., the account the user wants to assume\n- Column 2: Email address or subject ID of the user (choose one)\n - Email - the email of the identity\n - Subject ID - an unique ID for the user set by the OP. This is the `sub` claim in the ID Token.\n - Group - the name of the group that the user is part of. This uses the `groups` claim which is presumed to\n be an array. The group identifier uses a structured identifier. I.e. `oidc:groups:{groupId}`. Replace the `groupId`\n with the id of your group. If your group contains a colon, escape it `oidc:\"https://acme.com/groups\":{groupId}`.\n- Column 3: Issuer URI\n\n```bash\n# email/sub principal issuer\nalice alice@example.com https://accounts.google.com\nguest alice@example.com https://accounts.google.com\nroot alice@example.com https://accounts.google.com\ndev bob@microsoft.com https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0\n\n# Group identifier\ndev oidc:groups:developer https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0\ndev oidc:\"https://acme.com/groups\":developer https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0\n```\n\nTo add new rule run:\n\n`sudo opkssh add \u003cuser\u003e \u003cemail/sub/group\u003e \u003cissuer\u003e`\n\nThese `auth_id` files can be edited by hand or you can use the add command to add new policies.\nFor convenience you can use the shorthand `google` or `azure` rather than specifying the entire issuer.\nThis is especially useful in the case of azure where the issuer contains a long and hard to remember random string. For instance:\n\n`sudo opkssh add dev bob@microsoft.com azure`\n\n`/etc/opk/auth_id` requires the following permissions (by default we create all configuration files with the correct permissions):\n\n```bash\nsudo chown root:opksshuser /etc/opk/auth_id\nsudo chmod 640 /etc/opk/auth_id\n```\n\n### `~/.opk/auth_id`\n\nThis is a local version of the auth_id file.\nIt lives in the user's home directory (`/home/{USER}/.opk/auth_id`) and allows users to add or remove authorized identities without requiring root level permissions.\n\nIt can only be used for user/principal whose home directory it lives in.\nThat is, if it is in `/home/alice/.opk/auth_id` it can only specify who can assume the principal `alice` on the server.\n\n```bash\n# email/sub principal issuer\nalice alice@example.com https://accounts.google.com\n\n# Group identifier\ndev oidc:groups:developer https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0\n```\n\nIt requires the following permissions:\n\n```bash\nchown {USER}:{USER} /home/{USER}/.opk/auth_id\nchmod 600 /home/{USER}/.opk/auth_id\n```\n\n### AuthorizedKeysCommandUser\n\nWe use a low privilege user for the SSH AuthorizedKeysCommandUser.\nOur install script creates this user and group automatically by running:\n\n```bash\nsudo groupadd --system opksshuser\nsudo useradd -r -M -s /sbin/nologin -g opksshuser opksshuser\n```\n\nWe then add the following lines to `/etc/ssh/sshd_config`\n\n```bash\nAuthorizedKeysCommand /usr/local/bin/opkssh verify %u %k %t\nAuthorizedKeysCommandUser opksshuser\n```\n\n## Server Configuration (NixOS)\n\nOn NixOS, you can configure the SSH daemon by **including** the following lines to your config:\n\n```nix\n{ ... }:\n\n{\n services.opkssh = {\n enable = true;\n\n providers = {\n google = {\n issuer = \"https://accounts.google.com\";\n clientId =\n \"206584157355-7cbe4s640tvm7naoludob4ut1emii7sf.apps.googleusercontent.com\";\n lifetime = \"24h\";\n };\n };\n\n authorizations = [\n {\n user = \"YOUR_USERNAME\";\n principal = \"YOUR_GMAIL\";\n issuer = \"https://accounts.google.com\";\n }\n ];\n };\n}\n```\n\nSee [search.nixos.org](https://search.nixos.org/options?channel=unstable\u0026query=services.opkssh) for\nall available configuration options.\n\n## Custom OpenID Providers (Authentik, Authelia, Keycloak, Zitadel...)\n\nTo log in using a custom OpenID Provider, run:\n\n```bash\nopkssh login --provider=\"\u003cissuer\u003e,\u003cclient_id\u003e\"\n```\n\nor in the rare case that a client secret is required by the OpenID Provider:\n\n```bash\nopkssh login --provider=\"\u003cissuer\u003e,\u003cclient_id\u003e,\u003cclient_secret\u003e,\u003cscopes\u003e\"\n```\n\nwhere issuer, client_id and client_secret correspond to the issuer client ID and client secret of the custom OpenID Provider.\n\nFor example if the issuer is `https://authentik.local/application/o/opkssh/` and the client ID was `ClientID123`:\n\n```bash\nopkssh login --provider=\"https://authentik.local/application/o/opkssh/,ClientID123\"\n```\n\nto specify scopes\n\n```bash\nopkssh login --provider=\"https://authentik.local/application/o/opkssh/,ClientID123,,openid profile email groups\"\n```\n\nYou can use this shortcut which will use a provider alias to find the provider.\n\n```bash\nopkssh login authentik\n```\n\nThis alias to provider mapping be can configured using the OPKSSH_PROVIDERS environment variables.\n\n### Client Config File\n\nRather than type in the provider each time, you can create a client config file by running `opkssh login --create-config` at\n`C:\\Users\\{USER}\\.opk\\config.yml` on windows and `~/.opk/config.yml` on linux.\nYou can then edit this config file to add your provider.\n\n\u003cdetails\u003e\n\u003csummary\u003econfig.yml\u003c/summary\u003e\n\nYou can delete any providers you don't plan on using.\nIf you have a provider you want to open by default, change `default_provider` to the name of your alias of your custom provider.\n\n```yaml\n---\ndefault_provider: webchooser\n\nproviders:\n - alias: google\n issuer: https://accounts.google.com\n client_id: 206584157355-7cbe4s640tvm7naoludob4ut1emii7sf.apps.googleusercontent.com\n client_secret: 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\n scopes: openid email profile\n access_type: offline\n prompt: consent\n redirect_uris:\n - http://localhost:3000/login-callback\n - http://localhost:10001/login-callback\n - http://localhost:11110/login-callback\n\n - alias: azure microsoft\n issuer: https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0\n client_id: 096ce0a3-5e72-4da8-9c86-12924b294a01\n scopes: openid profile email offline_access\n access_type: offline\n prompt: consent\n redirect_uris:\n - http://localhost:3000/login-callback\n - http://localhost:10001/login-callback\n - http://localhost:11110/login-callback\n\n - alias: gitlab\n issuer: https://gitlab.com\n client_id: 8d8b7024572c7fd501f64374dec6bba37096783dfcd792b3988104be08cb6923\n scopes: openid email\n access_type: offline\n prompt: consent\n redirect_uris:\n - http://localhost:3000/login-callback\n - http://localhost:10001/login-callback\n - http://localhost:11110/login-callback\n\n - alias: hello\n issuer: https://issuer.hello.coop\n client_id: app_xejobTKEsDNSRd5vofKB2iay_2rN\n scopes: openid email\n access_type: offline\n prompt: consent\n redirect_uris:\n - http://localhost:3000/login-callback\n - http://localhost:10001/login-callback\n - http://localhost:11110/login-callback\n```\n\n\u003c/details\u003e\n\n### Environment Variables\n\nInstead of using the `opkssh login --provider` flag you can also configure the providers to use with environment variables.\n\nThe OPKSSH_PROVIDERS variable follow the standard format with `;` delimiting each provider and `,` delimiting fields with a provider for instance:\n`{alias},{issuer},{client_id},{client_secret},{scope};{alias},{issuer},{client_id},{client_secret},{scope}...`\n\nYou can set them in your [`.bashrc` file](https://www.gnu.org/software/bash/manual/html_node/Bash-Startup-Files.html) so you don't have to type custom settings each time you run `opk login`.\n\n```bash\nexport OPKSSH_DEFAULT=WEBCHOOSER\nexport OPKSSH_PROVIDERS=google,https://accounts.google.com,206584157355-7cbe4s640tvm7naoludob4ut1emii7sf.apps.googleusercontent.com,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;microsoft,https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0,096ce0a3-5e72-4da8-9c86-12924b294a01;gitlab,https://gitlab.com,8d8b7024572c7fd501f64374dec6bba37096783dfcd792b3988104be08cb6923\nexport OPKSSH_PROVIDERS=$OPKSSH_PROVIDERS;authentik,https://authentik.io/application/o/opkssh/,client_id,,openid profile email\n```\n\nThe OPKSSH_DEFAULT can be set to one of the provider's alias to set the default provider to use when running `opkssh login`.\nWEBCHOOSER will open a browser window to select the provider.\n\n### Redirect URIs\n\nCurrently opkssh supports the following redirect URIs. Make sure that the correct redirectURIs have been added at your OpenID Provider:\n\n```\nhttp://localhost:3000/login-callback\nhttp://localhost:10001/login-callback\nhttp://localhost:11110/login-callback\n```\n\n### Security Note: Create a new Client ID for opkssh\n\nDo not reuse a client ID between opkssh and other OpenID Connect services.\nIf the same client ID is used for opkssh as another OpenID Connect authentication service, then an SSH server could replay the ID Token sent in an opkssh SSH key to authenticate to that service.\nSuch replay attacks can be ruled out by simply using a new client ID with opkssh.\n\nNote that this requirement of using different client IDs for different audiences and uses is not unique to opkssh and is a best practice in OpenID Connect.\n\n### Provider Server Configuration\n\nIn the `/etc/opk/providers` file, add the OpenID Provider as you would any OpenID Provider. For example:\n\n```bash\nhttps://authentik.local/application/o/opkssh/ ClientID123 24h\n```\n\nThen add identities to the policy to allow those identities SSH to the server:\n\n```bash\nopkssh add root alice@example.com https://authentik.local/application/o/opkssh/\n```\n\n### Tested\n\n| OpenID Provider | Tested | Notes |\n|-----------------------------------------------|--------|--------------------------------------------------------------------------------------------------------|\n| [Authelia](https://www.authelia.com/) | ✅ | [Authelia Integration Guide](https://www.authelia.com/integration/openid-connect/opkssh/) |\n| [Authentik](https://goauthentik.io/) | ✅ | Do not add a certificate in the encryption section of the provider |\n| [AWS Cognito](https://aws.amazon.com/cognito/) | ✅ | [Amazon Cognito Integration Guide](docs/providers/cognito.md) |\n| [Azure](https://www.azure.com/) | ✅ | [Entra ID (Azure) Integration Guide](docs/providers/azure.md) |\n| [Gitlab Self-hosted](https://gitlab.com/) | ✅ | [Configuration guide](docs/gitlab-selfhosted.md) |\n| [Kanidm](https://kanidm.com/) | ✅ | [Kanidm Integration Guide](https://kanidm.github.io/kanidm/master/integrations/oauth2/examples.html#opkssh)|\n| [Keycloak](https://www.keycloak.org) | ✅ | [Keycloak Integration Guide](docs/providers/keycloak.md) |\n| [PocketID](https://pocket-id.org/) | ✅ | Create a new OIDC Client and inside the new client, check \"Public client\" on OIDC Client Settings |\n| [Zitadel](https://zitadel.com/) | ✅ | Check the UserInfo box on the Token Settings |\n\nDo not use Confidential/Secret mode **only** client ID is needed.\n\n## Developing\n\nFor a complete developers guide see [CONTRIBUTING.md](CONTRIBUTING.md)\n\n### Building\n\nRun:\n\n```bash\nCGO_ENABLED=false go build -v -o opkssh\nchmod u+x opkssh\n```\n\nto build with docker run:\n\n```bash\n./hack/build.sh\n```\n\n### Testing\n\nFor unit tests run\n\n```bash\ngo test ./...\n```\n\nFor integration tests run:\n\n```bash\n./hack/integration-tests.sh\n```\n\n## More information\n\n### Documentation\n- [docs/config.md](docs/config.md) Documentation of opkssh configuration files.\n- [docs/policyplugins.md](docs/policyplugins.md) Documentation of opkssh policy plugins and how to use them to implement complex policies.\n- [scripts/installing.md](scripts/installing.md) Documentation of the server install script that opkssh uses to configure an SSH server to accept opkssh SSH certificates. Explains how to manually install opkssh on a server.\n\n### Guides\n- [CONTRIBUTING.md](https://github.com/openpubkey/opkssh/blob/main/CONTRIBUTING.md) Guide to contributing to opkssh (includes developer help).\n- [docs/gitlab-selfhosted.md](docs/gitlab-selfhosted.md) Guide on configuring and using a self hosted GitLab instance with opkssh.\n- [docs/paramiko.md](docs/paramiko.md) Guide to using the python SSH paramiko library with opkssh.\n- [docs/putty.md](docs/putty.md) Guide to using PuTTY with opkssh.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenpubkey%2Fopkssh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopenpubkey%2Fopkssh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenpubkey%2Fopkssh/lists"}