2025-03-26
Three ways I know of to authenticate SSH connections with OIDC tokens
Suppose, not hypothetically, that you have an MFA equipped OIDC identity provider (an 'OP' in the jargon), and you would like to use it to authenticate SSH connections. Specifically, like with IMAP, you might want to do this through OIDC/OAuth2 tokens that are issued by your OP to client programs, which the client programs can then use to prove your identity to the SSH server(s). One reason you might want to do this is because it's hard to find non-annoying, MFA-enabled ways of authenticating SSH, and your OIDC OP is right there and probably already supports sessions and so on. So far I've found three different projects that will do this directly, each with their own clever approach and various tradeoffs.
(The bad news is that all of them require various amounts of additional software, including on client machines. This leaves SSH apps on phones and tablets somewhat out in the cold.)
The first is ssh-oidc, which is a joint effort of various European academic parties, although I believe it's also used elsewhere (cf). Based on reading the documentation, ssh-oidc works by directly passing the OIDC token to the server, I believe through a SSH 'challenge' as part of challenge/response authentication, and then verifying it on the server through a PAM module and associated tools. This is clever, but I'm not sure if you can continue to do plain password authentication (at least not without PAM tricks to selectively apply their PAM module depending on, eg, the network area the connection is coming from).
Second is Smallstep's DIY Single-Sign-On for SSH (also). This works by setting
up a SSH certificate authority and having the CA software issue
signed, short-lived SSH client certificates in exchange for OIDC
authentication from your OP. With client side software, these client
certificates will be automatically set up for use by ssh, and on
servers all you need is to trust your SSH CA. I believe you could
even set this up for personal use on servers you SSH to, since you
set up a personally trusted SSH CA. On the positive side, this
requires minimal server changes and no extra server software, and
preserves your ability to directly authenticate with passwords (and
perhaps some MFA challenge). On the negative side, you now have a
SSH CA you have to trust.
(One reason to care about still supporting passwords plus another MFA challenge is that it means that people without the client software can still log in with MFA, although perhaps somewhat painfully.)
The third option, which I've only recently become aware of, is
Cloudflare's recently open-sourced 'opkssh'
(via,
Github). OPKSSH builds on
something called OpenPubkey,
which uses a clever trick to embed a public key you provide in
(signed) OIDC tokens from your OP (for details see here).
OPKSSH uses this to put a basically regular SSH public key into
such an augmented OIDC token, then smuggles it from the client to
the server by embedding the entire token in a SSH (client) certificate;
on the server, it uses an AuthorizedKeysCommand to
verify the token, extract the public key, and tell the SSH server
to use the public key for verification (see How it works
for more details). If you want, as far as I can see OPKSSH still
supports using regular SSH public keys and also passwords (possibly
plus an MFA challenge).
(Right now OPKSSH is not ready for use with third party OIDC OPs. Like so many things it's started out by only supporting the big, established OIDC places.)
It's quite possible that there are other options for direct (ie, non-VPN) OIDC based SSH authentication. If there are, I'd love to hear about them.
(OpenBao may be another 'SSH CA that authenticates you via OIDC' option; see eg Signed SSH certificates and also here and here. In general the OpenBao documentation gives me the feeling that using it merely to bridge between OIDC and SSH servers would be swatting a fly with an awkwardly large hammer.)