SSH OIDC#
Welcome to the comprehensive documentation for ssh-oidc, a solution that enables SSH access using federated identities through OpenID Connect.
A demo instance that supports oinit, mccli and web-ssh is provided here.
Mini Demo:#
What is ssh-oidc?#
ssh-oidc is a collection of tools that allows using a federated identity (like your university or organisation login) to access SSH servers securely. Instead of managing SSH keys, users can use existing institutional credentials via OpenID Connect.
Multiple components work together:
- motley-cue (for identity mapping and user provisioning)
- oidc-agent (for managing OIDC tokens)
Depending on authentication mechanisms:
- oinit (client- and serverside) for ssh-certificates
- mccli (client-side wrapper)
- pam-ssh-oidc (for using Access Tokens via PAM)
- Other supporting tools
Why ssh-oidc?#
Traditional SSH authentication has several limitations in federated environments:
- SSH keys are permanent and can be shared across devices and teams
- No built-in expiration unless manually revoked
- Trust-on-First-Use (TOFU) security model
- SSH key management is difficult at scale
- No federated identity integration
With ssh-oidc we solve these problems by:
- Time-limited access through token expiration
- Strong identity binding to prevent key sharing
- Dynamic user provisioning - no pre-existing accounts needed
- Single Sign-On across multiple systems
- Audit trails and user traceability
- Works with standard SSH - no client modifications required