2025-04-18
The clever tricks of OpenPubkey and OPKSSH
OPKSSH (also) is a clever way of using OpenID Connect (OIDC) to authenticate your OpenSSH sessions (it's not the only way to do this). How it works is sufficiently ingenious and clever that I want to write it up, especially as one underlying part uses a general trick.
OPKSSH itself is built on top of OpenPubkey, which is a trick to associated your keypair with an OIDC token. When you perform OIDC authentication, what you get back (at an abstract level) is a signed set of 'claims' and, crucially, a nonce. The nonce is supplied by the client that initiated the OIDC authentication so that it can know that the ID token it eventually gets back actually comes from this authentication session and wasn't obtained through some other one. The client initiating OIDC authentication doesn't get to ask the OIDC identity provider (OP) to include other fields.
What OpenPubkey does is turn the nonce into a signature for a combination of your public key and a second nonce of its own, by cryptographically hashing these together through a defined process. Because the OIDC IdP is signing a set of claims that include the calculated nonce, it is effectively signing a signature of your public key. If you give people the signed OIDC ID token, your public key, and your second nonce, they can verify this (and you can augment the ID Token you back to get a PK Token that embeds this additional information).
(As I understand it, calculating the OIDC ID Token nonce this way is safe because it still includes a random value (the inner nonce) and due to the cryptographic hashing, the entire calculated nonce is still effectively a non-repeating random value.)
To smuggle this PK Token to the OpenSSH server, OPKSSH embeds it
as an additional option field in an OpenSSH certificate (called
'openpubkey-pkt'). The certificate itself is for your generated PK
Token private key and is (self) signed with it, but this is all
perfectly fine with OpenSSH; SSH clients will send the certificate
off to the server as a candidate authentication key and the server
will read it in. Normally the server would reject it since it's
signed by an unknown SSH certificate authority, but OPKSSH uses a
clever trick with OpenSSH's AuthorizedKeysCommand server
option to get its hands on the full certificate, which lets it
extract the PK Token, verify everything, and tell the SSH server
daemon that your public key is the underlying OpenPubkey key (which
you have the private key for in your SSH client).
Smuggling information through OpenSSH certificates and then processing
them with AuthorizedKeysCommand is a clever trick, but it's
specific to OpenSSH. Turning a nonce into a signature is a general
trick that was eye-opening to me, especially because you can probably
do it repeatedly.