Opkssh使SSH轻松使用单登录技术

Opkssh使得使用OpenID Connect（例如OpenID Connect）的单个登录技术很容易，从而消除了手动管理和配置SSH键的需求。

OPKSSH is a project that makes it easy to SSH with single sign-on (SSO) technologies like OpenID Connect (OIDC), removing the need to manually manage and configure SSH keys. It does this without adding a trusted party other than your identity provider (IdP). We are excited to announce that OPKSSH has been open-sourced under the umbrella of the OpenPubkey project. While the underlying protocol OpenPubkey became an open source Linux foundation project in 2023, OPKSSH was closed source and owned by BastionZero (now Cloudflare). Cloudflare has gifted this code to the OpenPubkey project, making it open source.

Opkssh是一个项目，可以轻松使用OpenID Connect（OIDC）（OIDC）等单个登录（SSO）技术，从而消除了手动管理和配置SSH键的需求。它在不添加您的身份提供商（IDP）以外的其他人的情况下执行此操作。我们很高兴地宣布，Opkssh已在OpenPubkey项目的保护下开源。尽管基础协议OpenPubkey于2023年成为开源Linux基金会项目，但Opkssh封闭了源，并由Bastionzero（现为Cloudflare）拥有。 Cloudflare将此代码赠予了OpenPubkey项目，使其成为开源。

In this post, we describe what OPKSSH is, how it simplifies SSH management, and what OPKSSH being open source means for you.

在这篇文章中，我们描述了opkssh是什么，它如何简化SSH管理以及开源对您意味着什么。

Background

背景

A cornerstone of modern access control is single sign-on (SSO), where a user authenticates to an identity provider (IdP), and in response the IdP issues the user a token. The user can present this token to prove their identity, such as "Google says I am Alice". SSO is the rare security technology that both increases convenience - users only need to sign in once to get access to many different systems - and increases security.

现代访问控制的基石是单登录（SSO），用户对身份提供商（IDP）进行身份验证，并且在响应中，IDP会向用户a令牌发出。用户可以提出这个令牌以证明其身份，例如“ Google Say I Amice”。 SSO是两者都可以提高便利性的罕见安全技术 - 用户只需要一次登录即可访问许多不同的系统，并提高了安全性。

OpenID Connect

OpenID连接

OpenID Connect (OIDC) is the main protocol used for SSO. As shown below, in OIDC the IdP, called an OpenID Provider (OP), issues the user an ID Token which contains identity claims about the user, such as "email is alice@example.com". These claims are digitally signed by the OP, so anyone who receives the ID Token can check that it really was issued by the OP.

OpenID Connect（OIDC）是用于SSO的主要协议。如下所示，在OIDC中，IDP称为OpenID提供商（OP），向用户发出ID令牌，其中包含有关用户的身份声明，例如“电子邮件为alice@example.com”。这些主张是由OP数字签署的，因此任何收到ID令牌的人都可以检查它是否确实是由OP发出的。

Unfortunately, while ID Tokens do include identity claims like name, organization, and email address, they do not include the user's public key. This prevents them from being used to directly secure protocols like SSH or End-to-End Encrypted messaging.

不幸的是，尽管ID令牌确实包括名称，组织和电子邮件地址等身份声明，但它们不包括用户的公钥。这样可以防止它们被用于直接保护SSH或端到端加密消息传递等协议。

Note that throughout this post we use the term OpenID Provider (OP) rather than IdP, as OP specifies the exact type of IdP we are using, i.e., an OpenID IdP. We use Google as an example OP, but OpenID Connect works with Google, Azure, Okta, etc.

请注意，在本文中，我们使用术语OpenID提供商（OP）而不是IDP，因为OP指定了我们正在使用的IDP的确切类型，即OpenID IDP。我们使用Google作为示例OP，但是OpenID Connect与Google，Azure，Okta等一起使用。

Figure 1: Shows a user Alice signing in to Google using OpenID Connect and receiving an ID Token

图1：显示一个用户爱丽丝使用OpenID Connect并接收ID令牌的用户登录到Google

OpenPubkey

OpenPubkey, shown below, adds public keys to ID Tokens. This enables ID Tokens to be used like certificates, e.g. "Google says alice@example.com is using public key 0x123." We call an ID token that contains a public key a PK Token. The beauty of OpenPubkey is that, unlike other approaches, OpenPubkey does not require any changes to existing SSO protocols and supports any OpenID Connect compliant OP.

如下所示，OpenPubkey为ID令牌添加了公共密钥。例如，它可以像证书一样使用ID令牌，例如“ Google说alice@example.com正在使用公共密钥0x123”。我们将包含公共密钥的ID令牌称为PK令牌。 OpenPubkey的优点在于，与其他方法不同，OpenPubkey不需要对现有SSO协议进行任何更改，并支持任何符合OpenID Connectiant OP。

Figure 2: Shows a user Alice signing in to Google using OpenID Connect/OpenPubkey and then producing a PK Token

图2：显示了用户使用OpenID Connect/OpenPubkey登录Google的用户，然后产生PK令牌

While OpenPubkey enables ID Tokens to be used as certificates, OPKSSH extends this functionality so that these ID Tokens can be used as SSH keys in the SSH protocol. This adds SSO authentication to SSH without requiring changes to the SSH protocol.

虽然OpenPubKey使ID令牌可以用作证书，但Opkssh扩展了此功能，因此可以将这些ID令牌用作SSH协议中的SSH键。这将SSO身份验证添加到SSH，而无需更改SSH协议。

Why this matters

为什么这很重要

OPKSSH frees users and administrators from the need to manage long-lived SSH keys, making SSH more secure and more convenient.

Opkssh释放了用户和管理员需要管理长寿命SSH键的需要，从而使SSH更加安全，更方便。

"In many organizations - even very security-conscious organizations - there are many times more obsolete authorized keys than they have employees. Worse, authorized keys generally grant command-line shell access, which in itself is often considered privileged. We have found that in many organizations about 10% of the authorized keys grant root or administrator access. SSH keys never expire." - Challenges in Managing SSH Keys - and a Call for Solutions by Tatu Ylonen (Inventor of SSH)

“在许多组织中 - 甚至非常注重安全的组织 - 授权的钥匙都比员工多得多。更糟糕的是，授权密钥通常会授予命令行的壳牌访问权限，这本身通常被认为是特权的。我们发现，在许多组织中，大约10％的授权钥匙赠款赠款根源root Organtor Organtor Or访问者访问。SSH键。 - 管理SSH键的挑战 - 塔图·Ylonen（SSH的发明者）呼吁解决方案

In SSH, users generate a long-lived SSH public key and SSH private key. To enable a user to access a server, the user or the administrator of that server configures that server to trust that user's public key. Users must protect the file containing their SSH private key. If the user loses this file, they are locked out. If they copy their SSH private key to multiple computers or backup the key, they increase the risk that the key will be compromised. When a private key is compromised or a user no longer needs access, the user or administrator must remove that public key from any servers it currently trusts. All of these problems create headaches for users and administrators.

在SSH中，用户生成了长寿的SSH公共密钥和SSH私钥。为了使用户能够访问服务器，该服务器的用户或管理员将配置该服务器以信任该用户的公钥。用户必须保护包含其SSH私钥的文件。如果用户丢失了此文件，则将其锁定。如果他们将其SSH私钥复制到多台计算机或备份密钥，则会增加钥匙会受到损害的风险。当私钥被妥协或用户不再需要访问时，用户或管理员必须从其当前信任的任何服务器中删除该公共密钥。所有这些问题都为用户和管理员造成头痛。

OPKSSH overcomes these issues:

Opkssh克服了这些问题：

Improved security: OPKSSH replaces long-lived SSH keys with ephemeral SSH keys that are created on-demand by OPKSSH and expire when they are no longer needed. This reduces the risk a private key is compromised, and limits the time period where an attacker can use a compromised private key. By default, these OPKSSH public keys expire every 24 hours, but the expiration

改进的安全性：Opkssh用ephemeral SSH键替换了长期的SSH键，这些键是由Opksss按需创建的，并在不再需要时到期。这降低了私钥的风险被损害，并限制了攻击者可以使用受损的私钥的时间段。默认情况下，这些Opkssh公共钥匙每24小时到期，但是到期