← Package directory
Available on winget

Install OpenPubkey SSH

A tool which enables SSH to be used with OpenID Connect, allowing SSH access management via identities like alice@example.com instead of long-lived SSH keys.

Install with winget
winget install --id openpubkey.opkssh
Upgrade
winget upgrade --id openpubkey.opkssh
Uninstall
winget uninstall --id openpubkey.opkssh

About OpenPubkey SSH

opkssh is a tool which enables ssh to be used with OpenID Connect allowing SSH access management via identities like alice@example.com instead of long-lived SSH keys. It does not replace ssh, but rather generates ssh public keys that contain PK Tokens and configures sshd to verify the PK Token in the ssh public key. These PK Tokens contain standard OpenID Connect ID Tokens. This protocol builds on the OpenPubkey which adds user public keys to OpenID Connect without breaking compatibility with existing OpenID Provid...

What's new in 0.15.0

πŸš€ Features - Adds ssh certificate principals arg @EthanHeilman (#533) πŸ› Bug Fixes - fix(deps): Update docker/build-push-action action to v7.2.0 @renovate[bot] (#515) - Fix: Ensure openssh can be installed on windows arm @EthanHeilman (#548, #547, #544) - fix(deps): Update goreleaser/goreleaser-action action to v7.2.2 @renovate[bot] (#542) - fix(deps): Update actions/setup-go action to v6.3.0 @renovate[bot] (#483) 🧰 Maintenance - fix(deps): bump go to v1.25, crypto to v0.53.0 @gastmaier (#528) - Update CLI documentation @github-actions[bot] (#534) - Update go version in hack/build.sh @Kunzol (#531)

Read release notes

Version history

Version Updated Notes
0.15.0 Unknown πŸš€ Features - Adds ssh certificate principals arg @EthanHeilman (#533) πŸ› Bug Fixes - fix(deps): Update docker/build-push-action action to v7.2.0 @renovate[bot] (#515) - Fix: Ensure openssh can be installed on windows arm...
0.14.0 Unknown Adds support for sshing into windows servers. Openssh 10.13 makes a breaking, non-backwards compatible change to how ssh certificates work, this breaks opkssh older than this release. This release creates a fix for this...
0.13.0 Unknown Main feature of this release is the ability to specify remote redirect URIs. This helps with integrating opkssh with other tools such as termix. Most users of opkssh should not be using this flag and can skip this update...
0.12.0 Unknown Main feature of this release is the audit command, which allows you to check server side configurations. Read the docs here: https://github.com/openpubkey/opkssh/blob/main/docs/audit.md Changes - docs: warn that azure al...
0.11.0 Unknown πŸš€ Features - Add support for custom group claims @mvanderlee (#133) - feat: Flag to print SSH cert and private key rather than FS @EthanHeilman (#437) - feat: Process extra arguments to the verify command @justincmoy (#4...
0.10.0 Unknown Changes β€’ Merge SELinux Type Enforcement Files. @SweBarre (#332) β€’ Feature/provider command @aaron-riact (#307) β€’ Fixes typo in linux install script and docs (regression) @SweBarre (#320) πŸ› Bug Fixes β€’ fix(deps): Update...
0.9.0 Unknown Changes - Improve docs command package @gppmad (#303) - docs: Better description of policy being additive @EthanHeilman (#288) - Add description for OPKSSH command-line tool @gppmad (#284) πŸš€ Features - Create user deny l...
0.8.0 Unknown Changes - Add azure config doc @EthanHeilman (#243) - Add test for piping install script to bash @SweBarre (#241) - Unittests for the install script @SweBarre (#204) πŸš€ Features - Feat: Add 12h expiration policy @bmodotde...
0.7.0 Unknown Changes - fix: only make GitHub provider available in GitHub environments @datosh (#210) - Harden gh actions @datosh (#198) - Cleans up TODOs on unneeded logging statement @EthanHeilman (#195) - Adds Chocolatey install t...
0.6.1 Unknown Changes - bugfix: use scopes from client config @datosh (#174) - Kanidm integration guide @datosh (#172)
0.6.0 Unknown Changes - Corrected Windows config filepath @L-Wehmschulte (#168) - Use shellquote for parsing policy::Table @markafarrell (#158) - Improve integration test runtime @datosh (#150) - Bump golang.org/x/net from 0.36.0 to 0...
0.5.1 Unknown What's Changed - Fixing go-releaser by @EthanHeilman in #137
0.4.0 Unknown Changes πŸš€ Features - feat: Adds oidc:groups claim matcher for token verification @SamMurphyDev (#68) - feat: Rewrites arg parser to use Cobra @EthanHeilman (#67) - feat: Adds support for generic OpenID Connect providers...
0.3.0 Unknown No notes