SSH с авторизацией в Keycloak? Легко

Привет, уважаемый %username%! Уважаю твое личное время, поэтому без лишних слов - сразу к делу. В этой статье я кратко опишу, как настроить доступ к удаленному серверу по SSH с использованием Keycloak. Разберем, в чем преимущества этого решения, и что именно происходит в процессе такой авторизации.

https://habr.com/ru/articles/940114/

#ssh #keycloak #openpubkey

### #Cloudflare open sources #OPKSSH to bring Single Sign-On #SSO to #SSH

This week, it was officially open-sourced under the umbrella of the #OpenPubkey project, itself became a #Linux Foundation open-source initiative in 2023, OPKSSH remained closed-source until now. Making it easy to #authenticate to #servers over SSH using #OpenID Connect (#OIDC), allowing developers to ditch manually configured SSH keys in favor of identity provider-based access.

https://www.helpnetsecurity.com/2025/03/28/opkssh-sso-ssh/

New highly nerdy and awesome blog on #openpubkey and #cryptography

https://www.bastionzero.com/blog/generalizing-openpubkey-to-any-identity-provider

Excited to share a new IETF internet draft that @bifurcation and I just submitted to the OAuth working group.

We introduce PIKA: Proof of Issue Key Authority, to solve a problem relevant to #openpubkey, #oidc and JWTs in general.

What's a PIKA and why do I care?

OpenPubkey uses PK Tokens to allow an OpenID Provider (OP) to bind user identities to user-held public keys. This essentially allows the OP to act like a certificate authority, without any changes to today's OIDC.

PK Tokens are signed by the OP's signing keys. But, OP's rotate their signing keys over time. What happens if we need to use a PK Token *after* the OP rotates signing key?

This is where the PIKA comes in.

In this draft, we introduce the PIKA and show how it can be combined with a timestamping authority to allow PK Tokens to be used even after the OP rotates it signing key. The PIKA is a secure object that allows you to cache the OP's key, and verify using the OP's key even if the OP is offline.

And that's why I got interested in this work.

But our solution is much more generic and widely applicable than to just OpenPubkey. PIKAs allow the verification of JWTs, ID Tokens and other OIDC Tokens without querying the OP directly. You can use them to reduce the load on a OP, or to build applications that require caching or historical information about OP keys. Historical information about signing key is a particularly important in #softwaresupplychain usecases.

We're still digesting all the different ways that PIKAs can be used. Feel free to get in touch if you have any feedback!

https://www.ietf.org/archive/id/draft-barnes-oauth-pika-00.html

How to Use OpenPubkey to Solve Key Management via SSO
#Products #Docker #OpenPubkey #Security

https://www.docker.com/blog/how-to-use-openpubkey-to-solve-key-management-via-sso/

How to Use OpenPubkey to SSH Without SSH Keys
#Docker #Products #Containers #Dockersecurity #OpenPubkey

https://www.docker.com/blog/how-to-use-openpubkey-to-ssh-without-ssh-keys/

How to Use OpenPubkey with GitHub Actions Workloads
#Products #Docker #Githubaction #Opensource #OpenPubkey #SecureSoftwareSupplyChain #Security

https://www.docker.com/blog/how-to-use-openpubkey-with-github-actions-workloads/

Excellent program at @BSidesCambridgeMA today.

Excited to present #OpenPubkey and demo how to ssh using your OpenID identity without having to trust your identity provider.

HMU if you are at bsides today