Cloudflare open sources OPKSSH to bring Single Sign-On to SSH

OPKSSH (OpenPubkey SSH) makes it easy to authenticate to servers over SSH using OpenID Connect (OIDC), allowing developers to ditch manually configured SSH keys in favor of identity provider-based access.

By tightly integrating with identity providers (IdPs) and avoiding any additional trusted third party, OPKSSH offers a streamlined and secure way to manage SSH authentication.

This week, OPKSSH was officially open-sourced under the umbrella of the OpenPubkey project. While OpenPubkey itself became a Linux Foundation open-source initiative in 2023, OPKSSH remained closed-source until now.

Originally developed and maintained by BastionZero (now part of Cloudflare), Cloudflare has gifted the code for OPKSSH to the OpenPubkey project, marking a milestone for open identity-based authentication in infrastructure access.

The benefits of OPKSSH

Improved security: OPKSSH replaces long-lived SSH keys with ephemeral SSH keys that are created on-demand by OPKSSH and expire when they are no longer needed. This reduces the risk a private key is compromised, and limits the time period where an attacker can use a compromised private key. By default, these OPKSSH public keys expire every 24 hours, but the expiration policy can be set in a configuration file.

Improved usability: Creating an SSH key is as easy as signing in to an OP. This means that a user can SSH from any computer with opkssh installed, even if they haven’t copied their SSH private key to that computer. To generate their SSH key, the user simply runs opkssh login, and they can use ssh as they typically do.

Improved visibility: OPKSSH moves SSH from authorization by public key to authorization by identity. If Alice wants to give Bob access to a server, she doesn’t need to ask for his public key, she can just add Bob’s email address bob@example.com to the OPKSSH authorized users file, and he can sign in. This makes tracking who has access much easier, since administrators can see the email addresses of the authorized users.

Improvements to OpenPubkey

While the OpenPubkey project has had code for using SSH with OpenPubkey since the project’s early days, this code was intended as a prototype and was missing many important features. With OPKSSH, SSH support in OpenPubkey is no longer a prototype but a complete feature.

OPKSSH provides the following improvements to OpenPubkey:

• Production ready SSH in OpenPubkey
• Automated installation
• Better configuration tools

OPKSSH is available on GitHub under the Apache 2.0 license.