/ Blog EN, cidaas Features, IAM
The Future of SSH? Combining opkssh and cidaas for seamless Security

The Future of SSH? Combining opkssh and cidaas for seamless Security

May 2025
Author: Devesh Kumar

The Problem – SSH access today: a security bottleneck

Traditional SSH access management using static credentials—whether keys or passwords—introduces operational complexity and security risks. The manual distribution, rotation, and revocation of SSH keys across dynamic infrastructure and user bases is error-prone, hard to scale, and expands the system’s attack surface. Static credentials can be compromised, and managing keys across large teams and dynamic infrastructure is a significant operational burden. What if you could tie SSH access directly to your established identity provider, using short-lived, automatically managed credentials?

The Solution – The modern fix: opkssh meets cidaas

That’s precisely what integrating OpenPubkey’s opkssh tool with an Identity & Access Management (IAM) solution like cidaas enables.

What is opkssh (OpenPubkey SSH)?

opkssh revolutionizes SSH access by replacing static keys with short-lived credentials tied to real-time identity verification. Built on the innovative OpenPubkey protocol, opkssh allows users to authenticate to SSH servers using their OpenID Connect (OIDC) identity. Instead of traditional SSH keys, it leverages ID tokens obtained from an OIDC provider to generate short-lived SSH certificates or keys bound cryptographically to the user’s identity, without requiring a complex Public Key Infrastructure (PKI) or Certificate Authority (CA).

Check out the project

What is cidaas?

cidaas is the IAM powerhouse behind secure authentication. It is a powerful Identity & Access Management (IAM) platform that provides comprehensive features including Single Sign-On (SSO), Multi-Factor Authentication (MFA), and crucially for this integration, acts as a robust OpenID Connect (OIDC) provider. It manages user identities, authentication policies, and issues the ID tokens that systems like opkssh can consume.

Learn more about cidaas in our documentation

How opkssh and cidaas work together

  1. Authentication:
    A user initiates an SSH connection using the opkssh client.

  2. OIDC Flow:
    opkssh redirects the user to authenticate with cidaas (using their standard company login, potentially with MFA).

  3. ID Token Issuance:
    Upon successful authentication, cidaas issues a signed OIDC ID token back to opkssh.

  4. Ephemeral Credential Generation:
    opkssh uses the ID token and the OpenPubkey protocol to generate a short-lived SSH key or certificate, cryptographically binding the key to the user’s identity contained within the token.

  5. SSH Connection:
    The user connects to the target SSH server using this ephemeral credential.

  6. Server Verification:
    The SSH server (configured to trust cidaas as the OIDC provider) verifies the credential’s signature and validity against cidaas’s public keys and confirms the user’s identity and authorization.

Why integrate opkssh with cidaas? Key Benefits at a Glance

Integrating these two powerful tools offers significant advantages:

  • Passwordless & Keyless SSH: Eliminates the need for users to manage static SSH keys or passwords for server access.
  • Enhanced Security: Leverages short-lived credentials tied to OIDC authentication sessions, drastically reducing the risk associated with compromised static keys. Access automatically expires when the OIDC session ends.
  • Centralized Identity Management: Uses cidaas as the single source of truth for user identity and authentication policy (including MFA, conditional access, etc.) for SSH access.
  • Simplified Operations: No more manual distribution, rotation, or revocation of SSH keys for users. Onboarding and offboarding become much easier.
  • Improved Auditability: SSH access events are directly linked to auditable OIDC authentication events within cidaas.
  • CA-less Architecture: Avoids the complexity and cost associated with setting up and maintaining a traditional SSH Certificate Authority.

Real-World Use Cases for opkssh & cidaas

Whether you’re securing developer access to cloud infrastructure or tightening CI/CD pipeline permissions, the combination of opkssh and cidaas delivers a scalable, identity-driven approach to SSH authentication. Below are practical scenarios where this integration simplifies access control while enhancing security and auditability.

Typical scenarios:

  • Organizations using cidaas as their central IAM.
  • Development teams needing secure access to cloud environments (AWS, GCP, Azure).
  • Securing access for CI/CD pipelines.
  • Improving security posture and adopting Zero Trust principles for infrastructure access.
  • Simplifying SSH access management in large or dynamic organizations.

Conclusion: SSH access reimagined – Get started today

Combining the CA-less, OIDC-driven approach of opkssh with the robust identity management capabilities of cidaas represents a significant step forward in securing and simplifying SSH access. By leveraging the identities you already manage in cidaas, you can move towards a more secure, streamlined, and user-friendly authentication model for your infrastructure.

Ready to simplify your SSH access strategy? Get in touch or book a demo to get started.

single sign on

To Single Sign-On in 30 minutes

Due to the increased number of various digital services in …
Read More
The cidaas group management - delegated user administration quick and easy! For family & friends or B2B use cases.

The cidaas group management – delegated user administration quick and easy! For family & friends or B2B use cases. 

The blog series – “The cidaas group management in a …
Read More