SSH-OIDC#
ssh-oidc is an ecosystem of tools that enables SSH authentication using federated OpenID Connect (OIDC) identities on unmodified OpenSSH. It replaces permanent SSH keys with short-lived SSH certificates, addressing fundamental security limitations: keys that never expire, are hard to revoke, can be shared, and provide no audit trail. The solution introduces certificate-based authentication where sessions are bound to verified federated identities, enabling instant revocation, full audit trails, and CA-based trust without TOFU vulnerabilities.
The ssh-oidc ecosystem comprises motley-cue (identity backend for authorization and just-in-time account provisioning), oinit-ca (online certificate authority issuing short-lived SSH certificates), oidc-agent (token management), and webssh-oidc (browser-based zero-installation access). Three access modes are supported: web SSH, CLI with downloaded certificates, and transparent CLI with oinit (recommended). All approaches work with standard OpenSSH without source code modifications.