Cloudflare has launched OPKSSH (OpenPubkey SSH), an authentication tool based on OpenID Connect (OIDC) for SSH servers, allowing administrators to replace traditional SSH keys with identity-controlled access. This new approach eliminates the need to manage static SSH keys and enables more secure and flexible management of system access.
OPKSSH has been released as open-source under the OpenPubkey project, an initiative that has been under the umbrella of the Linux Foundation since 2023. Originally developed by BastionZero, a company that is now part of Cloudflare, this tool represents a significant advancement in access management in infrastructure environments, enabling the use of a robust and standardized authentication system through identity providers.
Main Advantages of OPKSSH
- Enhanced Security: OPKSSH eliminates the use of static SSH keys and replaces them with ephemeral keys that are generated on demand. These keys are created when the user logs in and expire automatically in 24 hours by default, although this period is configurable. This approach reduces the risk of SSH keys being compromised and limits the impact in the event of a breach, as the keys are short-lived.
- Improved Usability: The authentication process is greatly simplified. To access an SSH server, users simply need to log in through their identity provider, such as Google, Microsoft/Azure, or GitLab, using the command
opkssh login. OPKSSH automatically generates an SSH key that contains the user’s identity token, eliminating the need to manually manage private keys. This facilitates access management and removes reliance on physical keys. - Better Visibility and Access Control: OPKSSH enhances access control by shifting authentication from public key-based to identity-based. Administrators can manage server access by simply adding users’ email addresses to the OPKSSH configuration files. This improves traceability of who has access to which resources, as users are identified by their digital identity rather than by an SSH key. Additionally, access management becomes easier, as administrators can easily assign permissions via email addresses.
Improvements in OpenPubkey
The OpenPubkey project already included support for using SSH through integration with OpenPubkey, but the code at that stage was only a prototype. With the launch of OPKSSH, this support has been enhanced and is now offered as a fully functional solution for production environments. Key improvements include:
- Production-ready SSH support
- Automated installation of required tools
- Better configuration tools to simplify management and maintenance of authentication environments
How OPKSSH Works
OPKSSH leverages the ability of SSH to handle SSH certificates and the extension of fields within these certificates. It uses PK tokens, which include the ID Token from OpenID Connect, and injects them into the SSH authentication process. This allows the SSH server to verify the user’s authenticity by validating their identity through the tokens issued by their identity provider.
To implement OPKSSH, administrators need to install the binary on their servers and configure it to use it as an additional authentication mechanism on the SSH server. Users can then connect to the servers using their OpenID Connect credentials, without needing to exchange or store traditional SSH keys.
Installation and Configuration
Installing OPKSSH on the server is straightforward. It can be automatically installed using a script on Linux systems, or manually using available binaries for Linux, macOS, and Windows. Once installed, administrators can easily add authorized users via their OpenID identifiers (email or subject identifier) and configure the server to accept only keys generated through OPKSSH.
Users just need to run the command opkssh login, which will open a browser window for them to authenticate with their identity provider. Subsequently, the system generates a temporary SSH key that allows authentication on servers configured to accept OPKSSH.
Compatibility with Identity Providers
OPKSSH is compatible with several popular identity providers such as Google, Microsoft/Azure, and GitLab. Additionally, administrators can configure OPKSSH to integrate with other identity providers via OpenID Connect, ensuring that any organization can adapt the tool to their existing infrastructure.
Conclusion
The release of OPKSSH marks an important milestone in the management of SSH authentication in corporate and cloud environments. With the adoption of OpenID Connect and the elimination of static SSH keys, OPKSSH provides a more secure, simpler, and efficient way to manage server access without compromising security or traceability. This advancement aligns with the growing need to integrate authentications into modern identity management systems, contributing to the protection of critical infrastructures against external and internal threats.