Re: [PLUG] Sharing SSH keys between Linux hosts

[brent saner via plug <plug@lists.phillylinux.org>]

I haven't seen anyone use OIDC/OAuth2 for SSH in the wild, no. Largely because it requires either third-party addition/integration onto OpenSSH or completely replacing your sshd (and ssh client).

Granted, this blog post from a ContainerSSH dev is from 2021, but I suspect a large reason is because the most popular clients may have issues with it.

To my knowledge, currently the only possibilities for OIDC/OAuth2 via SSH is:

• Using Cloudflare's OPKSSH (opensourced last year) (though I suspect this probably requires turning up an entire OpenKey infrastructure) (but it DOES work with OpenSSH sshd at least) (note that since it uses AuthorizedKeysCommand, authN and authZ can be overridden via the normal AuthorizedKeysFile, which may or may not have security implications in an org. You could circumvent that by setting it to none though.)
• You could maybe do it by hooking in with step-ca or Vault PKI/OpenBao PKI etc. to automatically generate short-lived SSH certificates on/with OIDC return, which WOULD work with OpenSSH sshd, buuut it's not really true OIDC/OAuth2 and it'd require a lot of mess that probably isn't worth it.
• A custom or third-party sshd (though that doesn't solve the aforementioned client limits, so now you're looking at a custom/third-party ssh client as well at the least)
• A custom/third-party PAM module that uses an OIDC token as the password sent over the SSH authN. This would work with OpenSSH just fine by just adding it as a fallback (or primary, with regular pam_unix.so as fallback, etc. depending on how you configure it in /etc/pam.d/*) (this would still require manual client workflow or a custom ssh client)

On Fri, Jan 9, 2026 at 1:25 PM Rich Freeman via plug <plug@lists.phillylinux.org> wrote:

(Warning, this is drifting a little off-topic.)

On 1/9/2026 1:10 PM, brent saner via plug wrote:

For what it's worth, there is a multitude of software that can manage SSH pubkey distribution. If you're using SSSD with AD/LDAP auth, you can even store users' SSH pubkeys in the directory itself bound to their user object and SSSD can dynamically fetch it/them at runtime directly.

I've seen orgs use LDAP to manage authorized_keys or the equivalent.  Does anybody do some kind of federated authentication with ssh, like OIDC/etc?  

I'm not sure how useful it would be for me at home, since I'd want to be able to use ssh to troubleshoot the authentication service - there are just some infra items you don't want too many dependencies with.  I'm just curious what is out there, and since the list is low-traffic I figured I'd start a conversation here instead of chatting with an LLM about it.  :)

-- 
Rich

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug