{"id":47145867,"url":"https://github.com/prodnull/unix-oidc","last_synced_at":"2026-03-13T00:09:00.532Z","repository":{"id":333976789,"uuid":"1139486846","full_name":"prodnull/unix-oidc","owner":"prodnull","description":"OIDC authentication for Unix/Linux systems with DPoP token binding (Educational/Non-Commercial Use Only)","archived":false,"fork":false,"pushed_at":"2026-02-13T20:55:20.000Z","size":5273,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-13T22:26:48.264Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/prodnull.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":"MAINTAINERS.md","copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-22T02:48:43.000Z","updated_at":"2026-02-13T20:55:17.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/prodnull/unix-oidc","commit_stats":null,"previous_names":["prodnull/unix-oidc"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/prodnull/unix-oidc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prodnull%2Funix-oidc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prodnull%2Funix-oidc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prodnull%2Funix-oidc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prodnull%2Funix-oidc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/prodnull","download_url":"https://codeload.github.com/prodnull/unix-oidc/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prodnull%2Funix-oidc/sbom","scorecard":{"id":1242178,"data":{"date":"2026-01-23T05:51:33Z","repo":{"name":"github.com/prodnull/unix-oidc","commit":"e6c2ac6f772f99215b20fbe32a27c61654a236c9"},"scorecard":{"version":"v5.3.0","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"score":5.3,"checks":[{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dependency-update-tool"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#security-policy"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":0,"reason":"Found 0/21 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#code-review"}},{"name":"CI-Tests","score":-1,"reason":"no pull request found","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#ci-tests"}},{"name":"Maintained","score":0,"reason":"project was created within the last 90 days. Please review its contents carefully","details":["Warn: Repository was created within the last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dangerous-workflow"}},{"name":"SAST","score":10,"reason":"SAST tool detected","details":["Info: SAST configuration detected: CodeQL","Info: SAST configuration detected: Snyk","Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#sast"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:369","Info: jobLevel 'actions' permission set to 'read': .github/workflows/ci.yml:368","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:150","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security.yml:24","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security.yml:73","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security.yml:104","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security.yml:124","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security.yml:165","Info: jobLevel 'actions' permission set to 'read': .github/workflows/security.yml:166","Info: topLevel 'contents' permission set to 'read': .github/workflows/aws-platform-tests.yml:31","Info: topLevel 'contents' permission set to 'read': .github/workflows/build-arm64-ami.yml:20","Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:11","Info: topLevel 'contents' permission set to 'read': .github/workflows/fuzz.yml:20","Info: topLevel 'contents' permission set to 'read': .github/workflows/integration-arm64-aws.yml:19","Info: topLevel 'contents' permission set to 'read': .github/workflows/integration-multiarch.yml:30","Info: topLevel 'contents' permission set to 'read': .github/workflows/platform-tests.yml:27","Info: topLevel 'contents' permission set to 'read': .github/workflows/provider-tests.yml:20","Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:10","Info: found token with 'none' permissions: .github/workflows/security.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/test-installer.yml:14","Info: topLevel 'contents' permission set to 'read': .github/workflows/validate-docs.yml:25","Info: topLevel 'contents' permission set to 'read': .github/workflows/verify-idp-templates.yml:28"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#signed-releases"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#license"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed","details":["Info: RustCargoFuzzer integration found: fuzz/fuzz_targets/dpop_proof.rs:9","Info: RustCargoFuzzer integration found: fuzz/fuzz_targets/policy_parser.rs:7","Info: RustCargoFuzzer integration found: fuzz/fuzz_targets/token_parser.rs:8","Info: RustCargoFuzzer integration found: fuzz/fuzz_targets/username_mapper.rs:7"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#branch-protection"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/aws-platform-tests.yml:167: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/aws-platform-tests.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/aws-platform-tests.yml:170: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/aws-platform-tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-arm64-ami.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/build-arm64-ami.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-arm64-ami.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/build-arm64-ami.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:81: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:82: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:258: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:261: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:280: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:283: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:293: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:296: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:317: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:108: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:111: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:114: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:146: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:156: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:171: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:174: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:177: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:220: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:236: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:239: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:333: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:336: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:353: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:371: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:374: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:380: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:383: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/fuzz.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/fuzz.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/fuzz.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/fuzz.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/fuzz.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/fuzz.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/fuzz.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/fuzz.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/integration-arm64-aws.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/integration-arm64-aws.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration-arm64-aws.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/integration-arm64-aws.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/integration-arm64-aws.yml:97: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/integration-arm64-aws.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration-multiarch.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/integration-multiarch.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/integration-multiarch.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/integration-multiarch.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration-multiarch.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/integration-multiarch.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration-multiarch.yml:99: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/integration-multiarch.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/integration-multiarch.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/integration-multiarch.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/integration-multiarch.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/integration-multiarch.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration-multiarch.yml:158: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/integration-multiarch.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/platform-tests.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/platform-tests.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/platform-tests.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/platform-tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/platform-tests.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/platform-tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/platform-tests.yml:150: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/platform-tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/platform-tests.yml:208: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/platform-tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/platform-tests.yml:211: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/platform-tests.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/platform-tests.yml:217: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/platform-tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/platform-tests.yml:474: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/platform-tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/platform-tests.yml:477: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/platform-tests.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/platform-tests.yml:483: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/platform-tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/provider-tests.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/provider-tests.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/provider-tests.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/provider-tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/provider-tests.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/provider-tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/provider-tests.yml:111: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/provider-tests.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/provider-tests.yml:125: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/provider-tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/provider-tests.yml:159: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/provider-tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:116: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:127: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:130: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:153: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:156: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:166: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:205: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:168: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/security.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/security.yml:173: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:180: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/security.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/security.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/security.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/security.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:91: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:106: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:126: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/security.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/security.yml:132: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/security.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/security.yml:141: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/security.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/security.yml:150: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-installer.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/test-installer.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-installer.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/test-installer.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-installer.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/test-installer.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validate-docs.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/validate-docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validate-docs.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/validate-docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validate-docs.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/validate-docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validate-docs.yml:103: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/validate-docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validate-docs.yml:220: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/validate-docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validate-docs.yml:309: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/validate-docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validate-docs.yml:312: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/validate-docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/verify-idp-templates.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/prodnull/unix-oidc/verify-idp-templates.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile.build:2: pin your Docker image by updating rust:1.85-slim-bookworm to rust:1.85-slim-bookworm@sha256:9f841bbe9e7d8e37ceb96ed907265a3a0df7f44e3737d0b100e7907a679acb36","Warn: containerImage not pinned by hash: test/docker/Dockerfile.test-host:2: pin your Docker image by updating ubuntu:22.04 to ubuntu:22.04@sha256:c7eb020043d8fc2ae0793fb35a37bff1cf33f156d4d4b12ccc7f3ef8706c38b1","Warn: containerImage not pinned by hash: test/docker/Dockerfile.test-host-multiarch:5: pin your Docker image by updating rust:1.85-bookworm to rust:1.85-bookworm@sha256:e51d0265072d2d9d5d320f6a44dde6b9ef13653b035098febd68cce8fa7c0bc4","Warn: containerImage not pinned by hash: test/docker/Dockerfile.test-host-multiarch:27: pin your Docker image by updating ubuntu:22.04 to ubuntu:22.04@sha256:c7eb020043d8fc2ae0793fb35a37bff1cf33f156d4d4b12ccc7f3ef8706c38b1","Warn: npmCommand not pinned by hash: demo/record-demo.sh:43","Warn: npmCommand not pinned by hash: .github/workflows/validate-docs.yml:43","Warn: npmCommand not pinned by hash: .github/workflows/validate-docs.yml:109","Warn: npmCommand not pinned by hash: .github/workflows/validate-docs.yml:318","Info:   0 out of  67 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of  32 third-party GitHubAction dependencies pinned","Info:   0 out of   4 containerImage dependencies pinned","Info:   0 out of   4 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#pinned-dependencies"}},{"name":"Vulnerabilities","score":7,"reason":"3 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: RUSTSEC-2024-0388","Warn: Project is vulnerable to: RUSTSEC-2024-0384","Warn: Project is vulnerable to: RUSTSEC-2025-0134"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#vulnerabilities"}},{"name":"Contributors","score":0,"reason":"project has 0 contributing companies or organizations -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#contributors"}}]},"last_synced_at":"2026-01-23T08:36:38.638Z","repository_id":333976789,"created_at":"2026-01-23T08:36:38.638Z","updated_at":"2026-01-23T08:36:38.638Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30450897,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-12T21:31:01.033Z","status":"ssl_error","status_checked_at":"2026-03-12T21:30:43.161Z","response_time":114,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-03-13T00:08:59.934Z","updated_at":"2026-03-13T00:09:00.506Z","avatar_url":"https://github.com/prodnull.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/logo.svg\" alt=\"unix-oidc logo\" width=\"120\" height=\"120\"\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003eunix-oidc\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eStep-up authentication layer for Linux SSH and sudo with OIDC\u003c/strong\u003e\n\u003c/p\u003e\n\n\u003e **⚠️ EDUCATIONAL USE ONLY ⚠️**\n\u003e\n\u003e This project is provided for **educational and discussion purposes only**. It demonstrates concepts related to OIDC authentication, DPoP token binding, and PAM module development. **It is NOT intended for production use.**\n\u003e\n\u003e Licensed under [CC BY-NC-SA 4.0](LICENSE) (Non-Commercial).\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/prodnull/unix-oidc/blob/main/LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-CC%20BY--NC--SA%204.0-lightgrey.svg\" alt=\"License\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#why-unix-oidc\"\u003eWhy?\u003c/a\u003e •\n  \u003ca href=\"#features\"\u003eFeatures\u003c/a\u003e •\n  \u003ca href=\"#quick-start\"\u003eQuick Start\u003c/a\u003e •\n  \u003ca href=\"#deployment\"\u003eDeployment\u003c/a\u003e •\n  \u003ca href=\"#documentation\"\u003eDocumentation\u003c/a\u003e •\n  \u003ca href=\"#architecture\"\u003eArchitecture\u003c/a\u003e •\n  \u003ca href=\"#learn-more\"\u003eLearn More\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n## Why unix-oidc?\n\nSSH key management at scale is painful. Keys get copied, shared, never rotated, and rarely audited. When someone leaves, do you really know all the servers they had access to?\n\n**[OpenID Connect (OIDC)](https://openid.net/specs/openid-connect-core-1_0.html)** solves identity, but existing tools have significant limitations:\n\n### Open Source Alternatives\n\n| Tool | Limitation |\n|------|------------|\n| [pam_oidc](https://github.com/salesforce/pam_oidc) (Salesforce) | Bearer tokens only—if stolen, attacker has full access. No sudo step-up. |\n| [pam_oauth2_device](https://github.com/ICS-MU/pam_oauth2_device) | Device flow support, but still bearer tokens. No cryptographic binding. |\n| [pam-keycloak-oidc](https://github.com/zhaow-de/pam-keycloak-oidc) | Keycloak-specific. Embeds OTP in password field (hacky UX). |\n| [ssh-oidc](https://github.com/EOSC-synergy/ssh-oidc) | Token passed as password—limited to 1023 bytes by OpenSSH. |\n\n### Commercial Alternatives\n\n| Tool | Trade-off |\n|------|-----------|\n| [Teleport](https://goteleport.com/) | Excellent but requires proxy infrastructure. SSH OIDC is enterprise-only ($$$). No sudo step-up. |\n| [Boundary](https://www.boundaryproject.io/) (HashiCorp) | Session brokering focus. Requires Vault integration. Complex architecture. |\n| [Smallstep](https://smallstep.com/) | Certificate-based approach. Requires running your own CA. Different security model. |\n| [StrongDM](https://www.strongdm.com/) | Full PAM solution but significant cost (~$100+/user/year). Vendor lock-in. |\n\n### Feature Comparison\n\n| Feature | unix-oidc | pam-keycloak-oidc | Teleport | Smallstep |\n|---------|-----------|-------------------|----------|-----------|\n| SSH OIDC auth | ✅ | ✅ | Enterprise | ✅ |\n| Sudo step-up | ✅ | ❌ | ❌ | ❌ |\n| DPoP token binding | ✅ | ❌ | ❌ | ❌ |\n| Device flow | ✅ | ❌ | N/A | N/A |\n| ACR enforcement | ✅ | Basic | ❌ | ❌ |\n| SSSD integration | ✅ | ❌ | ❌ | ❌ |\n| Provider-agnostic | ✅ | ❌ | ✅ | ✅ |\n| Self-hosted option | ✅ | ✅ | ✅ | ✅ |\n| Open source | ✅ | ✅ | Partial | Partial |\n\n**unix-oidc** was built to address these gaps:\n\n- **[DPoP token binding](https://datatracker.ietf.org/doc/html/rfc9449)** (RFC 9449): Tokens are cryptographically bound to a key pair. Even if an attacker intercepts a token, they can't use it without the private key. This is the same security model used by modern banking APIs.\n\n- **Sudo step-up authentication**: SSH login is just the beginning. Sensitive commands like `systemctl restart` or `kubectl delete` can require fresh MFA via [OAuth 2.0 Device Authorization Grant](https://datatracker.ietf.org/doc/html/rfc8628) (RFC 8628)—bringing web-grade security to the terminal.\n\n- **Provider-agnostic**: Works with Azure AD, Auth0, Google, Okta, Keycloak, or any OIDC-compliant provider. No vendor lock-in.\n\n- **Memory-safe implementation**: Written in Rust. No buffer overflows, no use-after-free, no memory corruption vulnerabilities that plague C-based [PAM modules](https://www.man7.org/linux/man-pages/man8/pam.8.html).\n\n- **Production-ready security**: Rate limiting, [JTI](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.7) replay protection, structured audit logging, and alignment with [NIST SP 800-63](https://pages.nist.gov/800-63-3/) digital identity guidelines.\n\n### Developer \u0026 User Experience\n\nEnterprise MFA solutions often create friction that developers actively work around. unix-oidc was designed with usability as a core requirement:\n\n| Pain Point | Traditional MFA | unix-oidc |\n|------------|----------------|-----------|\n| Password fatigue | Yet another password to remember | **No passwords**—use your existing IdP (Google, Azure AD, Okta) |\n| Token management | Hardware tokens to carry, batteries that die | **Phone-based**—device flow works with authenticator apps you already have |\n| SSH workflow disruption | Copy-paste tokens, time-sensitive OTPs | **Transparent**—token passed via SSH auth, cached for session |\n| Sudo interruptions | MFA prompt for every privileged command | **Context-aware**—step-up only for sensitive commands, configurable grace periods |\n| Learning curve | New tools, new interfaces, training required | **Familiar flows**—same \"scan QR, tap approve\" as consumer apps |\n| Network dependencies | VPN required, proxy servers to configure | **Direct to IdP**—works from anywhere your IdP is reachable |\n| Emergency access | Locked out when MFA fails | **Break-glass auth**—configurable fallback for emergencies |\n\n**What developers actually experience:**\n\n```\n$ ssh prod-server.example.com\n→ Browser opens: \"Sign in with Google\" (or your IdP)\n→ Approve on phone if MFA required\n→ You're in. Session token cached.\n\n$ sudo systemctl restart critical-service\n→ Phone notification: \"Approve sudo on prod-server?\"\n→ Tap approve\n→ Command runs\n```\n\nNo new passwords. No hardware tokens. No copy-pasting OTPs. Just your existing identity, extended to the terminal.\n\n### A Human-AI Collaboration\n\nThis project was developed collaboratively with [Claude](https://claude.ai) (Anthropic's AI assistant).\n\nThe human contributors brought domain expertise in enterprise identity systems, security architecture, and real-world operational requirements from experience with PAM, LDAP, and SSO at scale. They defined the security requirements, threat model, and ensured the design would work in production environments.\n\n**Claude** contributed rapid prototyping, comprehensive documentation, security analysis (including [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) and [MITRE ATT\u0026CK](https://attack.mitre.org/) mappings), and systematic implementation of the Rust codebase. The AI's ability to maintain consistency across a large codebase and generate thorough test coverage accelerated development significantly.\n\nThis collaboration demonstrates that human expertise and AI capabilities can complement each other effectively—humans providing judgment, context, and real-world grounding; AI providing speed, consistency, and tireless attention to detail.\n\n## Features\n\n- **OIDC Authentication for SSH**: Authenticate SSH sessions using [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) tokens\n- **Step-up MFA for Sudo**: Require additional authentication for privileged commands\n  - [OAuth 2.0 Device Authorization Grant](https://datatracker.ietf.org/doc/html/rfc8628) (RFC 8628)\n  - Custom webhook approval workflows\n  - Future: Push notifications, [FIDO2/WebAuthn](https://fidoalliance.org/fido2/)\n- **[DPoP Token Binding](https://datatracker.ietf.org/doc/html/rfc9449)** (RFC 9449): Cryptographically bind tokens to prevent theft\n  - [ES256](https://datatracker.ietf.org/doc/html/rfc7518#section-3.4) and ML-DSA-65 (post-quantum ready)\n  - Replay attack protection\n  - Cross-language libraries: [Rust](rust-oauth-dpop/), [Go](go-oauth-dpop/), [Python](python-oauth-dpop/), [Java](java-oauth-dpop/)\n- **[JWT](https://datatracker.ietf.org/doc/html/rfc7519) Signature Verification**: Cryptographically validates tokens using [JWKS](https://datatracker.ietf.org/doc/html/rfc7517) from OIDC discovery\n- **[SSSD](https://sssd.io/) Integration**: Maps to existing LDAP/AD users via SSSD\n- **Policy-Based Control**: Configure requirements per host classification and command\n- **Audit Logging**: Structured JSON audit events for security monitoring\n- **Multi-Provider Support**: Works with Azure AD, Auth0, Google, Okta, Keycloak, and any OIDC provider\n\n## Quick Start\n\n### Prerequisites\n\n- Linux with PAM support\n- SSSD configured for user directory\n- OIDC-compliant Identity Provider (Keycloak, Azure AD, Okta, etc.)\n\n### Installation\n\n```bash\n# Build the PAM module\ncargo build --release\n\n# Install the PAM module\nsudo cp target/release/libpam_unix_oidc.so /lib/security/pam_unix_oidc.so\n\n# Create configuration directory\nsudo mkdir -p /etc/unix-oidc\n\n# Copy example policy\nsudo cp examples/policy.yaml /etc/unix-oidc/policy.yaml\n```\n\n### Configuration\n\nSet environment variables:\n\n```bash\nexport OIDC_ISSUER=\"https://your-idp.example.com/realms/your-realm\"\nexport OIDC_CLIENT_ID=\"unix-oidc\"\n```\n\nConfigure PAM for SSH (`/etc/pam.d/sshd`):\n\n```\nauth    sufficient    pam_unix_oidc.so\nauth    required      pam_unix.so try_first_pass\n```\n\nConfigure PAM for sudo (`/etc/pam.d/sudo`):\n\n```\nauth    required    pam_unix_oidc.so\nauth    required    pam_unix.so try_first_pass\n```\n\n## Deployment\n\nReady to deploy? We provide multiple paths from quick demos to production infrastructure.\n\n### Quick Start Options\n\n| Path | Time | Description |\n|------|------|-------------|\n| [5-Minute Demo](deploy/quickstart/5-minute-demo.md) | 5 min | Docker-based, zero setup required |\n| [15-Minute Production](deploy/quickstart/15-minute-production.md) | 15 min | Real server with your IdP |\n\n### One-Line Installer\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/prodnull/unix-oidc/main/deploy/installer/install.sh | bash\n```\n\n### Infrastructure as Code\n\n| Tool | Directory | Description |\n|------|-----------|-------------|\n| **Terraform** | [deploy/terraform/](deploy/terraform/) | AWS, GCP, Azure modules |\n| **Ansible** | [deploy/ansible/](deploy/ansible/) | Configuration management role |\n| **Chef** | [deploy/chef/](deploy/chef/) | Cookbook for Chef users |\n| **Puppet** | [deploy/puppet/](deploy/puppet/) | Puppet module |\n\n### IdP Setup Guides\n\nPre-built configurations for popular identity providers:\n\n| Provider | Guide |\n|----------|-------|\n| Keycloak | [deploy/idp-templates/keycloak/](deploy/idp-templates/keycloak/) |\n| Okta | [deploy/idp-templates/okta/](deploy/idp-templates/okta/) |\n| Azure AD | [deploy/idp-templates/azure-ad/](deploy/idp-templates/azure-ad/) |\n| Auth0 | [deploy/idp-templates/auth0/](deploy/idp-templates/auth0/) |\n\nSee [deploy/README.md](deploy/README.md) for comprehensive deployment documentation.\n\n## Development\n\n```bash\n# Start test environment (Keycloak, LDAP, test host)\nmake dev-up\n\n# Run unit tests\ncargo test\n\n# Run integration tests\nmake test-integration\n\n# Stop test environment\nmake dev-down\n```\n\n## Documentation\n\n### User Documentation\n- [Installation Guide](docs/installation.md) - Installing and configuring unix-oidc\n- [Community Testing Guide](docs/community-testing-guide.md) - Help us test on different platforms\n- [User Guide](docs/user-guide.md) - Day-to-day usage for end users\n- [Sudo Step-Up Authentication](docs/sudo-step-up.md) - Step-up configuration reference\n- [Deployment Patterns](docs/deployment-patterns.md) - Choose the right deployment for your environment\n\n### Security Documentation\n- [Security Guide](docs/security-guide.md) - Hardening, compliance, and best practices\n- [Threat Model](docs/THREAT_MODEL.md) - Security analysis with NIST CSF and MITRE ATT\u0026CK mapping\n- [Security Policy](SECURITY.md) - Vulnerability reporting\n\n### Developer Documentation\n- [Testing Guide](docs/testing.md) - Running tests at all levels\n- [Extensibility Guide](docs/extensibility-guide.md) - Webhooks, custom mappers, and plugins\n- [Architecture Decision Records](docs/adr/) - Design decisions and rationale\n- [Contributing](CONTRIBUTING.md) - How to contribute\n\n## Architecture\n\nunix-oidc works with **any OIDC-compliant Identity Provider**:\n\n| Provider | Status | Notes |\n|----------|--------|-------|\n| Azure AD (Entra ID) | Tested | Enterprise SSO, Conditional Access |\n| Auth0 | Tested | Developer-friendly, free tier |\n| Google Cloud Identity | Tested | Google Workspace integration |\n| Okta | Supported | Enterprise IdP |\n| Keycloak | Tested | Self-hosted, used in our CI |\n| Any OIDC Provider | Supported | Must support Device Authorization Grant |\n\n### Basic Architecture\n\n```\n┌──────────────┐     ┌──────────────┐     ┌──────────────┐\n│   SSH/Sudo   │────\u003e│  PAM Module  │────\u003e│   OIDC IdP   │\n│   Client     │     │  (unix-oidc) │     │  (Your IdP)  │\n└──────────────┘     └──────┬───────┘     └──────────────┘\n                           │\n                           v\n                     ┌──────────────┐\n                     │     SSSD     │\n                     │  (user dir)  │\n                     └──────────────┘\n```\n\n### Deployment Patterns\n\n**Pattern A: Direct to Cloud IdP** (Simplest)\n- Point unix-oidc directly at Azure AD, Auth0, Google, or Okta\n- Users authenticate with their existing cloud identity\n- Best for: Organizations already using a cloud IdP\n\n**Pattern B: Self-hosted IdP** (Full Control)\n- Deploy Keycloak or similar on your infrastructure\n- Full control over authentication policies\n- Best for: Air-gapped environments, compliance requirements\n\n**Pattern C: Federated via Keycloak** (Hybrid)\n- Keycloak brokers to upstream IdPs (Azure AD, Google, etc.)\n- Centralized policy enforcement\n- Best for: Multi-IdP environments, complex mapping requirements\n\nSee [docs/deployment-patterns.md](docs/deployment-patterns.md) for detailed guidance.\n\n## Testing Status\n\n### What We've Tested\n\n| Component | Environment | Status |\n|-----------|-------------|--------|\n| **Identity Providers** | | |\n| Keycloak | CI (automated) | ✅ Fully tested |\n| Auth0 | CI (automated) | ✅ Fully tested |\n| Google Cloud Identity | CI (automated) | ✅ Fully tested |\n| Azure AD (Entra ID) | Manual testing | ⚠️ Basic flows tested |\n| Okta | Not yet tested | 🔄 Community reports welcome |\n| **Operating Systems** | | |\n| Ubuntu 22.04 LTS | CI (automated) | ✅ Fully tested |\n| Ubuntu 24.04 LTS | Manual testing | ✅ Tested |\n| RHEL 9 | CI (automated) | ✅ Fully tested |\n| Amazon Linux 2023 | CI (automated) | ✅ Fully tested |\n| Amazon Linux 2 | CI (automated) | ✅ Fully tested |\n| Rocky 9 | Not yet tested | 🔄 Marketplace subscription required |\n| Debian 12 | Not yet tested | 🔄 SSM Agent compatibility issues |\n\n### Enterprise Readiness\n\nThis is a **beta release**. While the core security mechanisms (DPoP binding, token validation, rate limiting) are thoroughly tested, enterprise deployments should consider:\n\n- **Additional IdP testing**: If you're using Azure AD, Okta, or another IdP in production, please test and report your experience\n- **OS compatibility**: Test on your target OS and report any issues\n- **Scale testing**: We haven't yet tested with hundreds of concurrent authentications\n- **HA/failover**: Document your high-availability setup if you deploy one\n\n**We welcome contributions!** If you test unix-oidc with an IdP or OS not listed above, please:\n1. Open an issue with your test results\n2. Submit a PR to update this table\n3. Share your deployment configuration (sanitized) to help others\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for how to contribute.\n\n### CI Infrastructure\n\nOur CI includes:\n- **Unit tests**: Rust test suite runs on every PR\n- **Integration tests**: Keycloak in Docker for OIDC flow testing\n- **AWS Platform Tests**: Real EC2 instances testing Ubuntu 22.04, RHEL 9, Amazon Linux 2, and Amazon Linux 2023\n- **Security scanning**: Dependabot, cargo-audit, cargo-deny, Snyk, TruffleHog, OSSF Scorecard\n\nThis testing infrastructure is **not** a requirement for production—use whatever OIDC provider your organization already has.\n\n## Security Design\n\nunix-oidc is designed with defense in depth for key material. This section summarizes the memory and storage protection model for operators and contributors.\n\n### Memory protection\n\n| Mechanism | What it protects | Limitation |\n|-----------|-----------------|------------|\n| `zeroize` on drop (`ecdsa-0.16`) | DPoP private key bytes zeroed when struct is dropped | Compiler may not guarantee zeroing in all conditions; zeroize uses volatile writes as best effort |\n| `mlock(2)` / `PR_SET_DUMPABLE` | Key pages pinned to RAM; core dumps disabled | Does not protect against root or kernel access; `mlock` failure is non-fatal |\n| `secrecy::SecretString` for tokens | OAuth tokens show `[REDACTED]` in all logs/traces | Raw value accessible via `.expose_secret()` — audit boundary is grep-searchable |\n| `Box`-only `ProtectedSigningKey` | No stack copies of key material | Only protects within process; memory forensics by root can still access |\n\n### Secure deletion\n\n`FileStorage::delete()` performs a three-pass DoD 5220.22-M overwrite before unlinking:\n- Pass 1: random bytes, `fsync`\n- Pass 2: complement (XOR 0xFF), `fsync`\n- Pass 3: new random bytes, `fsync`, then `unlink`\n\n**CoW filesystem warning**: On btrfs (Linux) and APFS (macOS), copy-on-write semantics mean overwrites may not modify the original data blocks. The agent logs a `WARN` advisory if CoW storage is detected at startup and before each key deletion.\n\n**SSD wear leveling warning**: Flash storage firmware may redirect writes to spare blocks. The agent logs a `WARN` advisory on Linux when non-rotational storage is detected.\n\n**Recommendation**: Use full-disk encryption (LUKS on Linux, FileVault on macOS) when deploying on CoW filesystems or SSDs. Secure overwrite is complementary, not a substitute, for FDE on those platforms. See [NIST SP 800-88 Rev 1](https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final) §2.5 for background.\n\n### For contributors\n\nSee `CLAUDE.md` — **Memory Protection Invariants** section — for the complete set of invariants, rationale, and known limitations. Security-critical files:\n\n| File | What it protects |\n|------|-----------------|\n| `unix-oidc-agent/src/crypto/protected_key.rs` | DPoP key lifecycle (zeroize, mlock, Box-only) |\n| `unix-oidc-agent/src/storage/secure_delete.rs` | Three-pass overwrite, CoW/SSD detection |\n| `unix-oidc-agent/src/security.rs` | Core dump disabling (`prctl`/`ptrace`) |\n\n## Security\n\nSee [SECURITY.md](SECURITY.md) for vulnerability reporting and security design principles.\n\n## Learn More\n\nThis project implements several important security standards. Here are resources to learn more:\n\n### Standards \u0026 RFCs\n- **[RFC 9449 - DPoP](https://datatracker.ietf.org/doc/html/rfc9449)**: Demonstrating Proof of Possession—how we bind tokens to keys\n- **[RFC 8628 - Device Authorization Grant](https://datatracker.ietf.org/doc/html/rfc8628)**: OAuth 2.0 flow for devices without browsers\n- **[RFC 7519 - JSON Web Token (JWT)](https://datatracker.ietf.org/doc/html/rfc7519)**: The token format we validate\n- **[RFC 7517 - JSON Web Key (JWK)](https://datatracker.ietf.org/doc/html/rfc7517)**: How public keys are published\n- **[OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html)**: The identity layer on OAuth 2.0\n\n### Security Frameworks\n- **[NIST SP 800-63](https://pages.nist.gov/800-63-3/)**: Digital Identity Guidelines—our authentication assurance levels align with these\n- **[NIST Cybersecurity Framework](https://www.nist.gov/cyberframework)**: Risk management framework we map our controls to\n- **[MITRE ATT\u0026CK](https://attack.mitre.org/)**: Threat modeling framework we use for attack analysis\n\n### Linux Security\n- **[Linux-PAM](https://www.man7.org/linux/man-pages/man8/pam.8.html)**: Pluggable Authentication Modules documentation\n- **[SSSD](https://sssd.io/)**: System Security Services Daemon for identity management\n\n## License\n\nThis work is licensed under the [Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0)](LICENSE).\n\n**This project is for educational and discussion purposes only. It is NOT intended for production use.**\n\nSee [LICENSE](LICENSE) for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprodnull%2Funix-oidc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fprodnull%2Funix-oidc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprodnull%2Funix-oidc/lists"}