PATTERN Cited by 1 source
SSO with ephemeral SSH keys¶
Replace long-lived SSH keys (the ~/.ssh/id_rsa file that
users copy between machines and that accumulates in
authorized_keys indefinitely) with short-lived SSH keys
minted from an SSO login. The user signs in to their identity
provider (Google / Azure / Okta / …) once; a fresh SSH keypair
is generated on demand, bound to the user's identity via a
PK Token, and expires within hours (24h
default in OPKSSH). Re-authentication re-mints.
Server-side authorization shifts from "trust this public key" to "trust this email address."
Canonical instance: OPKSSH¶
OPKSSH (Cloudflare / OpenPubkey Linux Foundation, 2025-03-25) is the current canonical instance of this pattern. Flow:
opkssh loginon the client:- Generates an ephemeral SSH keypair.
- Opens a browser; user authenticates to their OIDC OpenID Provider (Google / Azure / Okta / …).
- Builds a PK Token committing the ephemeral public key to the user's identity.
- Writes the SSH keypair and PK Token into
~/.ssh, formatted as an SSH certificate with the PK Token in the extension field. ssh serveruses the generated certificate; SSH's normal handshake transmits it to the server.- Server's
sshdinvokes its configuredAuthorizedKeysCommand— the OpenPubkey verifier — which: - Parses the PK Token from the certificate's extension.
- Verifies the OP's signature on the PK Token.
- Checks expiration.
- Verifies patterns/identity-to-key-binding (PK Token's public key equals session's public key).
- Looks up the user's email in the server's authorized-users ACL.
- Session proceeds if all checks pass.
What changes for operators¶
| Aspect | Classical SSH | SSO with ephemeral keys |
|---|---|---|
| What to trust | Per-key fingerprints in authorized_keys |
Per-user email in ACL |
| Off-boarding | Remove key from every server | Remove user from IdP |
| Key expiration | Never (manual rotation) | Hours (automatic) |
| User moves machines | Copy private key or generate new + re-authorize | Just opkssh login on the new machine |
| Access audit | Opaque key fingerprints | Human-readable email addresses |
| Key-theft blast radius | Indefinite (until someone notices) | Hours (auto-expires) |
| Required trust anchor | Server operators | Existing IdP (no new party) |
Why this is different from an SSH CA¶
A classical SSH CA (BLESS, Smallstep, Teleport) also issues short-lived SSH certificates. This pattern differs in two ways:
- No dedicated CA. The IdP — which the organization already operates for SSO — is the trust root. No new service to run, patch, secure, and audit.
- Ephemeral key is minted client-side. The client generates the keypair locally; only the PK Token (signed by the OP) comes from the identity layer. This is structurally different from a CA that signs client-side CSRs — the OP doesn't learn the SSH public key directly.
Orgs already running an SSH CA may still prefer it for specific reasons (integration with existing tooling, FIPS posture, CA-specific policy enforcement), but the OPKSSH pattern is simpler for orgs that want to consolidate SSH access on their existing IdP.
Variations / relatives¶
ssh-agent+ per-session minting. Long-lived master key inssh-agent, short-lived certificates minted per session — hybrid of classical and fully-ephemeral. Not ingested into the wiki yet.- Hardware-backed keys + identity attestation. Key lives in a TPM / YubiKey; identity proof via OIDC. The key may be long-lived in hardware (can't be extracted) but each use is attested to an identity. Orthogonal to the ephemeral-key dimension.
Failure modes¶
- OP compromise. An adversary who can mint ID Tokens for arbitrary users can SSH as anyone. Inherent to any IdP-backed access control; not unique to this pattern.
- Local key theft. An attacker who reads the user's
.sshdirectory during the 24h window can SSH as them. Same as classical SSH, but blast-radius-bounded by the expiration. - PK Token revocation lag. If a user is off-boarded at the OP, their existing PK Token is still valid until it expires. Typical mitigation: rely on short PK Token lifetime + terminate long-running sessions out-of-band if immediate revocation is needed.
Seen in¶
- sources/2025-03-25-cloudflare-opkssh-open-sourcing —
OPKSSH introduces this pattern under the OpenPubkey umbrella;
24-hour default key lifetime, identity-based server ACL,
opkssh loginminting flow.
Related¶
- systems/opkssh — canonical implementation.
- systems/openssh — the SSH implementation whose
AuthorizedKeysCommandhook makes the pattern server-side install as two config lines. - concepts/ephemeral-credentials — the broader pattern family.
- concepts/sso-authentication — the upstream trust model.
- concepts/pk-token — the primitive making SSO work for SSH.
- patterns/identity-to-key-binding — the verifier check that prevents PK Token replay.
- patterns/ssh-certificate-extension-smuggling — the wire-compat transport.
- patterns/per-boot-ephemeral-key — compute-side sibling (server identity instead of user identity).