winget install --id openpubkey.opksshAbout OpenPubkey SSH
opkssh is a tool which enables ssh to be used with OpenID Connect allowing SSH access management via identities like alice@example.com instead of long-lived SSH keys. It does not replace ssh, but rather generates ssh public keys that contain PK Tokens and configures sshd to verify the PK Token in the ssh public key. These PK Tokens contain standard OpenID Connect ID Tokens. This protocol builds on the OpenPubkey which adds user public keys to OpenID Connect without breaking compatibility with existing OpenID Provid...
What's new in 0.14.0
Adds support for sshing into windows servers. Openssh 10.13 makes a breaking, non-backwards compatible change to how ssh certificates work, this breaks opkssh older than this release. This release creates a fix for this breaking change. Changes - feat: update to openpubkey 0.23.0 @ianroberts (#510) - fix(ci): use go run . instead of go run main.go in gha workflow @fdcastel (#506) - [3/3] Add Windows SSH server support @fdcastel (#480) - refactor: unify MockUserLookup into shared test helper package. Closes #439. @fdcastel (#495) - Update CLI documentation @github-actions[bot] (#500) - feat: add --inspect-cert and --verbose flags to login command. Closes #353. @fdcastel (#497) - docs: Add GitHub Actions integration guide. Closes #481 @fdcastel (#492) - test: cover full printed output of opkssh inspect. Closes #356 @fdcastel (#493) - Update CLI documentation @github-actions[bot] (#498) - Add logout command to remove opkssh-generated SSH keys. Closes #317. @fdcastel (#496) - Update CLI documentation @github-actions[bot] (#490) - [2/3] Add permissions command @fdcastel (#479) - bug: ensure provider arg doesn't skip remote-redirect-uri @EthanHeilman (#471) - [1/3] Update GitHub Actions workflows and .gitignore @fdcastel (#478) - docs: Add AWS EC2 setup guide for opkssh @Rishang (#467) π Bug Fixes - fix(deps): Update docker/build-push-action action to v7 @renovate[bot] (#512) - Fix for openssh 10.13 breaking principals wildcard in SSH certificates @EthanHeilman (#513) - fix(deps): Update zizmorcore/zizmor-action action to v0.5.2 @renovate[bot] (#488) - fix(deps): Update dependenc...
Version history
| Version | Updated | Notes |
|---|---|---|
| 0.14.0 | Unknown | Adds support for sshing into windows servers. Openssh 10.13 makes a breaking, non-backwards compatible change to how ssh certificates work, this breaks opkssh older than this release. This release creates a fix for this... |
| 0.13.0 | Unknown | Main feature of this release is the ability to specify remote redirect URIs. This helps with integrating opkssh with other tools such as termix. Most users of opkssh should not be using this flag and can skip this update... |
| 0.12.0 | Unknown | Main feature of this release is the audit command, which allows you to check server side configurations. Read the docs here: https://github.com/openpubkey/opkssh/blob/main/docs/audit.md Changes - docs: warn that azure al... |
| 0.11.0 | Unknown | π Features - Add support for custom group claims @mvanderlee (#133) - feat: Flag to print SSH cert and private key rather than FS @EthanHeilman (#437) - feat: Process extra arguments to the verify command @justincmoy (#4... |
| 0.10.0 | Unknown | Changes β’ Merge SELinux Type Enforcement Files. @SweBarre (#332) β’ Feature/provider command @aaron-riact (#307) β’ Fixes typo in linux install script and docs (regression) @SweBarre (#320) π Bug Fixes β’ fix(deps): Update... |
| 0.9.0 | Unknown | Changes - Improve docs command package @gppmad (#303) - docs: Better description of policy being additive @EthanHeilman (#288) - Add description for OPKSSH command-line tool @gppmad (#284) π Features - Create user deny l... |
| 0.8.0 | Unknown | Changes - Add azure config doc @EthanHeilman (#243) - Add test for piping install script to bash @SweBarre (#241) - Unittests for the install script @SweBarre (#204) π Features - Feat: Add 12h expiration policy @bmodotde... |
| 0.7.0 | Unknown | Changes - fix: only make GitHub provider available in GitHub environments @datosh (#210) - Harden gh actions @datosh (#198) - Cleans up TODOs on unneeded logging statement @EthanHeilman (#195) - Adds Chocolatey install t... |
| 0.6.1 | Unknown | Changes - bugfix: use scopes from client config @datosh (#174) - Kanidm integration guide @datosh (#172) |
| 0.6.0 | Unknown | Changes - Corrected Windows config filepath @L-Wehmschulte (#168) - Use shellquote for parsing policy::Table @markafarrell (#158) - Improve integration test runtime @datosh (#150) - Bump golang.org/x/net from 0.36.0 to 0... |
| 0.5.1 | Unknown | What's Changed - Fixing go-releaser by @EthanHeilman in #137 |
| 0.4.0 | Unknown | Changes π Features - feat: Adds oidc:groups claim matcher for token verification @SamMurphyDev (#68) - feat: Rewrites arg parser to use Cobra @EthanHeilman (#67) - feat: Adds support for generic OpenID Connect providers... |
| 0.3.0 | Unknown | No notes |