In a significant move aimed at improving security and ease of use in SSH management, Cloudflare announced the open-sourcing of OPKSSH (OpenPubkey SSH) under the OpenPubkey project. OPKSSH integrates single sign-on (SSO) technologies such as OpenID Connect into SSH, streamlining the authentication process while eliminating the need for manual key management. This development allows users to authenticate without relying on an additional trusted third party besides their identity provider (IdP).
The transition of OPKSSH to an open-source model follows the earlier open-sourcing of the underlying protocol, OpenPubkey, which became a Linux Foundation project in 2023. Originally developed and owned by BastionZero, which was acquired by Cloudflare in 2024, OPKSSH has now been contributed to the OpenPubkey project, allowing the wider community to benefit from its capabilities.
OpenPubkey enhances the traditional SSO model by incorporating public keys into ID tokens, enabling them to act as digital certificates. This crucial advancement is particularly important as traditional ID tokens did not include users’ public keys, limiting their use in protocols requiring higher security, such as SSH. With OPKSSH, users benefit from temporary SSH keys that automatically expire, thus minimizing the risk of a key being compromised.
The new framework simplifies the SSH access process by allowing users to generate ephemeral SSH keys easily through a simple login command, making it possible to access servers securely without needing to distribute long-lived private keys. This innovation not only increases convenience for users but also enhances visibility and control over who has access to sensitive systems. Administrators can manage access by simply adding a user’s email address to an authorized users list, making it easier to track and revoke access as necessary.