Ditch SSH Keys: Secure Access with opkssh and OpenID Connect

Tired of managing long-lived SSH keys? opkssh, or OpenPubkey SSH, offers a modern and secure alternative by integrating SSH with OpenID Connect. This allows you to manage SSH access using familiar identities like [email protected], eliminating the complexities of traditional key management.

What is opkssh?

opkssh leverages OpenID Connect to enhance SSH authentication, replacing static keys with short-lived, identity-based access. It generates SSH public keys containing PK Tokens, which are verified against standard OpenID Connect ID Tokens. This builds upon the OpenPubkey protocol, adding user public keys to OpenID Connect without disrupting existing OpenID Providers.

• Key takeaway: Simplifies SSH access management by using existing identity providers.

Why Choose opkssh for SSH Authentication?

• Enhanced Security: Eliminates the risks associated with long-lived SSH keys.
• Simplified Management: Leverages your existing OpenID Connect infrastructure.
• Identity-Based Access: Uses familiar identities like email addresses for authentication.
• Easy Integration: Works with popular OpenID Providers like Google, Microsoft/Azure, and Gitlab.

Get Started with opkssh: Installation and Usage

Ready to experience passwordless SSH? Here's how to get started with opkssh on your client machine:

Installation

1. Homebrew (macOS):

   brew tap openpubkey/opkssh
   brew install opkssh
   

   Copy

2. Manual Installation (Windows, Linux, macOS):

   • Download the appropriate binary from the opkssh releases page.
   • Make the binary executable and move it to a directory in your PATH.

SSH Access Made Easy

Now that you have opkssh installed, follow these steps to securely SSH into your servers:

1. Login:

   opkssh login
   

   Copy

   This command opens a browser window for authentication against your chosen OpenID Provider.

2. SSH as Usual:

   ssh [email protected]
   

   Copy

   opkssh automatically handles the key exchange using the generated PK Token.

Setting Up opkssh on Your SSH Server

To enable opkssh authentication on your server, use the provided installation script:

wget -qO- "https://raw.githubusercontent.com/openpubkey/opkssh/main/scripts/install-linux.sh" | sudo bash

This script automates the installation process:

• Downloads the opkssh binary.
• Installs it as /usr/local/bin/opkssh.
• Configures SSH to use opkssh for authentication.

Finally, authorize users to access specific accounts using their OpenID Connect identities:

sudo opkssh add root [email protected] google

This command allows [email protected] to SSH into the server as root.

How opkssh Works: Under the Hood

opkssh cleverly integrates OpenID Connect into the SSH authentication process using two key SSH features:

• SSH Certificates with Extensions: PK Tokens, including ID Tokens, are embedded within SSH certificate extensions.
• AuthorizedKeysCommand: The SSH server uses this option to delegate PK Token verification to the opkssh verify command.

Configuration Files: Fine-Grained Access Control

opkssh relies on configuration files to manage allowed OpenID Providers and authorized identities. These files, located on the server, control which identities can access which accounts.

/etc/opk/providers: Defining Trusted OpenID Providers

This file lists allowed OpenID Providers (OPs) and their associated Client IDs. It acts as an access control list, ensuring that only trusted providers can be used for authentication.

• Column 1: Issuer URI of the OP.
• Column 2: Client-ID (audience claim in the ID Token).
• Column 3: Expiration policy (e.g., 24h, oidc).

The recommended permissions for /etc/opk/providers are:

sudo chown root:opksshuser /etc/opk/providers
sudo chmod 640 /etc/opk/providers

/etc/opk/auth_id: Global Authorized Identities

This file maps OpenID Connect identities (email addresses or subject IDs) to Linux user accounts (principals). It defines which users are authorized to assume which accounts on the server.

• Column 1: The principal (Linux user account).
• Column 2: Email address or subject ID of the user.
• Column 3: Issuer URI.

The recommended permissions for /etc/opk/auth_id are:

sudo chown root:opksshuser /etc/opk/auth_id
sudo chmod 640 /etc/opk/auth_id

~/.opk/auth_id: User-Specific Authorized Identities

Users can manage their own authorized identities using the ~/.opk/auth_id file in their home directory. This allows users to grant access to their own accounts without requiring root privileges.

The recommended permissions for ~/.opk/auth_id are:

chown {USER}:{USER} /home/{USER}/.opk/auth_id
chmod 600 /home/{USER}/.opk/auth_id

Embrace Passwordless SSH with opkssh

opkssh offers a secure, manageable, and user-friendly approach to SSH access by integrating with OpenID Connect. Say goodbye to cumbersome SSH key management and embrace the future of SSH authentication. By implementing OpenPubkey SSH, managing long-tail terms related to authentication becomes more streamlined and secure.