Skip to content

SYSTEM Cited by 1 source

OPKSSH (OpenPubkey SSH)

OPKSSH (OpenPubkey SSH) is an open-source tool (Apache 2.0, github.com/openpubkey/opkssh) that lets users SSH using single sign-on (OpenID Connect — Google / Azure / Okta / etc.) without managing long-lived SSH keys. Built by BastionZero (acquired by Cloudflare 2024), donated to the OpenPubkey Linux Foundation project 2025-03-25.

What it does

  1. opkssh login generates an ephemeral SSH keypair and runs the OpenPubkey OIDC flow (browser pops open, user signs in to their IdP).
  2. The IdP issues an ID Token; OpenPubkey extends it into a PK Token that commits to the ephemeral public key and the user's identity.
  3. OPKSSH packages the PK Token into an SSH certificate extension field so the whole thing travels as a normal SSH public key.
  4. On the server side, sshd's AuthorizedKeysCommand is pointed at the OpenPubkey verifier, which parses the PK Token, verifies its signature against the OP, checks the public-key binding, and looks up the user's email in an authorized-users ACL.

Why it matters

  • Eliminates long-lived SSH keys. Default key expiration is 24 hours; configurable. Users don't copy private keys between machines — they sign in from any machine with opkssh installed.
  • No protocol or binary changes. Zero modifications to the SSH client or SSH server code. The server side is two lines in sshd_config:
AuthorizedKeysCommand /usr/local/bin/opkssh verify %u %k %t
AuthorizedKeysCommandUser root
  • Identity-based authorization. Server operators add alice@example.com to an ACL file instead of copying Alice's public key. Access auditing reads as email addresses, not key fingerprints.
  • No new trusted third party. The only trust anchor is the IdP the user already uses for SSO. No cloud SSH bastion, no dedicated SSH CA.

How the PK Token rides SSH

SSH has two public-key formats: plain public keys, and SSH certificates. Certificates have an extension field holding arbitrary data. OPKSSH puts the PK Token there. From the SSH server's perspective, nothing unusual is happening — a certificate arrives, the configured AuthorizedKeysCommand is called to validate it, and the command returns success/failure. All OPKSSH-specific logic is in that command (the verifier).

Canonical instance of patterns/ssh-certificate-extension-smuggling.

Verifier invariants

The OpenPubkey verifier checks four things:

  1. Signature. PK Token is signed by the OP (using the OP's published JWKS).
  2. Expiration. PK Token is unexpired per its exp claim (and per OPKSSH's own configured policy, default 24h).
  3. Public-key binding. The public key inside the PK Token matches the public key field in the SSH handshake — this prevents replay against a different session keypair.
  4. Identity authorization. The user's email (from the PK Token) appears in the authorized-users file.

Relationship to OpenPubkey

systems/openpubkey is the underlying protocol — the primitive for adding public keys to OIDC ID Tokens. OPKSSH is the application of OpenPubkey to SSH. OpenPubkey shipped an experimental SSH integration in 2023, but it was prototype-quality. OPKSSH (Cloudflare-donated 2025-03-25) replaces it as the production-complete SSH implementation under the OpenPubkey project.

Lineage

  • Originally closed-source, owned by BastionZero.
  • Cloudflare acquired BastionZero in 2024 to add zero-trust infrastructure access.
  • Cloudflare donated OPKSSH to the OpenPubkey project 2025-03-25 under Apache 2.0 — contribution, not endorsement.

Seen in

Last updated · 200 distilled / 1,178 read