Cloudflare has released OPKSSH (OpenPubkey SSH), a tool that enables SSH authentication via OpenID Connect (OIDC), allowing administrators to replace traditional SSH keys with identity-based access. This new approach eliminates the need for managing static SSH keys and provides a streamlined, secure way to handle access to systems.
OPKSSH has been open-sourced under the OpenPubkey project, an initiative already under the umbrella of the Linux Foundation since 2023. Originally developed by BastionZero, a company now part of Cloudflare, this tool represents a significant advancement in managing infrastructure access, allowing for robust and standardized authentication through identity providers.
Key Benefits of OPKSSH
- Enhanced Security: OPKSSH eliminates the use of long-lived SSH keys, replacing them with ephemeral SSH keys generated on-demand. These keys automatically expire in 24 hours (configurable), reducing the risk of key compromise and limiting the window of time during which an attacker could exploit a stolen key.
- Improved Usability: SSH authentication becomes as simple as signing in to an identity provider. With OPKSSH, users no longer need to manually copy SSH private keys to different machines. Instead, they can use the command
opkssh loginto generate an SSH key on any computer with OPKSSH installed, making SSH access seamless. - Better Visibility and Access Control: OPKSSH transitions from public key authorization to identity-based authorization. Instead of exchanging SSH keys, administrators can simply add users by their email address to an authorized users file. This approach enhances access management, as administrators can easily track who has access based on their identity, rather than managing cryptographic keys.
Enhancements to OpenPubkey
The OpenPubkey project had preliminary code for using SSH through OpenPubkey, but it was in the form of a prototype. With the release of OPKSSH, SSH support in OpenPubkey is now a fully functional feature ready for production environments. Key improvements include:
- Production-ready SSH in OpenPubkey
- Automated installation of required components
- Improved configuration tools for easier management
How OPKSSH Works
OPKSSH builds on SSH’s ability to handle SSH certificates and extends their functionality to include OpenID Connect tokens. It uses the PK Token, which includes the ID Token from OpenID Connect, and integrates it into the SSH authentication process. This allows the SSH server to authenticate users by verifying their identity using tokens issued by their OpenID Connect provider.
To use OPKSSH, administrators install the tool on their servers, configuring SSH to accept it as an additional authentication method. Once set up, users can log in using their OpenID Connect credentials without needing traditional SSH keys.
Installation and Setup
Installing OPKSSH on the server is straightforward. It can be done automatically using a script on Linux, or manually with available binaries for Linux, macOS, and Windows. After installation, administrators can add authorized users by specifying their OpenID Connect identifiers (email addresses or subject IDs), and configure the server to only accept SSH keys generated through OPKSSH.
Users simply run the opkssh login command, which opens a browser window for authentication with their identity provider. Once authenticated, the system generates a temporary SSH key, allowing them to authenticate on servers configured to use OPKSSH.
Compatibility with Identity Providers
OPKSSH supports major identity providers like Google, Microsoft/Azure, and GitLab. Additionally, administrators can configure OPKSSH to integrate with other identity providers through OpenID Connect, ensuring that the tool can be adapted to various organizational infrastructures.
Conclusion
The open-sourcing of OPKSSH marks a significant milestone in SSH authentication for corporate and cloud environments. By adopting OpenID Connect and eliminating static SSH keys, OPKSSH provides a more secure, user-friendly, and efficient way to manage server access, without compromising security or traceability. This advancement aligns with the growing need for integrated identity-based authentication in modern systems, helping protect critical infrastructures against both internal and external threats.
