Cloudflare has introduced the opkssh (OpenPubkey SSH) toolkit, which allows integrating centralized authentication tools with OpenSSH with the ability to log in through OpenID Connect providers. With opkssh, you can get rid of the manual work of managing and configuring SSH keys, as well as organize a connection to the server from any hosts, without the need to create private keys on each client computer and without manually copying public keys to the server. To connect, it is enough to bind the server to an account with the OpenID provider. The toolkit code is written in Go and is distributed under the Apache 2.0 license.
Opkssh is compatible with Google, Microsoft/Azure, and Gitlab OpenID providers, allowing you to set up logins using your existing gmail.com, microsoft.com, and gitlab.com accounts. When using opkssh, instead of time-limited SSH keys, temporary keys are generated that are valid for a few hours and are based on confirmation from the OpenID provider. Leakage of such keys after expiration does not pose a security risk. By default, the key is valid for 24 hours, after which you must re-identify yourself via OpenID.
Integration with OpenSSH is based on the ability to create SSH protocol extensions that allow attaching arbitrary data to SSH certificates. After authentication via OpenID, the client generates a public key containing a PK token confirming that the key belongs to the declared user. The token is integrated into the SSH protocol via a field with additional SSH certificate data. The creation of PK tokens and their verification on the server side is performed using the OpenPubKey cryptographic protocol.
OpenPubKey allows you to generate a public key and bind it to a token issued by an OpenID provider. Through a digital signature, the provider confirms that this key was created by the declared authenticated user. For example, Google's OpenID provider can confirm that the user is authenticated as test@gmail.com. On the server side, a check is performed to see if the attached token is signed by the OpenID provider and whether the digital signature matches the declared public key, i.e. the server can verify that it was the user test@gmail.com who created the public key for the connected SSH client.
Integration with OpenSSH is organized by specifying the opkssh program in the configuration file "sshd_config" via the "AuthorizedKeysCommand" directive (for example: "AuthorizedKeysCommand /usr/local/bin/opkssh verify %u %k %t"). Setting up the linking of accounts with OpenID is carried out on the SSH server side. On the SSH client side, no changes to the settings are required, but before logging in, you must run the "opkssh login" command and select the OpenID provider in the browser window that appears and authenticate through it.
The opkssh utility will generate SSH keys and obtain a PK token, which confirms that the user has been authenticated and allows verification that the generated keys belong to the stated user. The public SSH key, with the PK token attached via the additional data field, will be written to the ~/.ssh/id_ecdsas file and will begin transmitting when connecting to server ssh utility.
Connection to the server is made using the standard SSH scheme “ssh login@server”, while on server The login must first be identified with the user's OpenID account. Thus, the process boils down to the SSH client sending the public key to the SSH server, and the server running the "opkssh verify" command to verify the key.
To link an account to OpenID, the server administrator executes the command "opkssh add". For example, to allow login to the server under the user "root" with OpenID authentication through the account test@gmail.com in Gmail, you should execute "sudo opkssh add root test@gmail.com google", after which the client will be able to connect under the parameters of this account using the command "ssh root@server_host".
Account binding can also be done manually via the /etc/opk/auth_id (or ~/.opk/auth_id) configuration file, which for the above example would contain the line "root test@gmail.com https://accounts.google.com". Additionally, via the /etc/opk/providers file, you can define a list of valid OpenID providers, their parameters, and a list of allowed client identifiers.
Source: opennet.ru
