Open-sourcing OpenPubkey SSH (OPKSSH): integrating single sign-on with SSH
blog.cloudflare.com
OPKSSH (OpenPubkey SSH) is now open-sourced as part of the OpenPubkey project. This enables users and organizations to configure SSH to work with single sign-on technologies like OpenID Connect, removing the need to manually manage & configure SSH keys without adding a trusted party other than your IdP.

My first exposure to this and supposedly just a two line change to the SSH server configuration.

Anyone set this up on their own servers yet? Just for kicks?

  • Botzo@lemmy.worldEnglish
    4·
    5 days ago

    Definitely looks like a nice improvement. Functions very like cloud provider CLI SSO, but with a generic tool.

    I think for an enterprise use case, supporting the use of the groups claim (or other configurable scopes) is table stakes. Although in those situations, I’ve also had to use other tools like teleport that come with other enterprise niceties like full session audit capture and playback.

    And while everyone should do their own threat and risk modeling, you’ve now made your ssh connection dependent on an external service that likely needs to reach out over the internet.