Where and how to install the components

Packages are available for the majority of linux distributions from our KIT repo server.

Some of these packages are available for Mac (via homebrew), too.

Windows ssh-client users have reported to be happy with WSL.

The examples show the installation with debian based systems. We are confident that you are smart enought to install the same package using yum, or zypper. ;)

SSH Server

SSH CertificatesAccess Tokens

You need motley-cue and oinit-openssh, as well as oinit-ca.

The oinit-ca may also be deployed on a dedicated ssh-ca host.

apt install motley-cue oinit-openssh oinit-ca

You need motley-cue and pam-ssh-oidc.

You may remove the -autoconfig from the package name, if you want to edit files in /etc/pamd.d/ manually details here.

apt install motley-cue pam-ssh-oidc-autoconfig

To verify the installation: ssh to the host (with any username). Your client should prompt “Access Token:”, and alternate the prompt with “Password:”.

Notice

• You will likely want to configure the way usernames and groups are configured in Motley Cue.

SSH-CA on a separate host

You can easily install the oinit-ca on a different host:

1. Make sure that the hosts /etc/oinit/config.ini points to the to the right Motley Cue URL.
2. oinit clients will try to find the oinit-ca by trying these locations: 1 Automatic: https://<ssh_hostname>/oinit 2 DNS: the TXT record of _oinit.<ssh_hostname> 3 Cmdline: users of oinit can specify the oinit-ca URL via

   oint add <ssh-host>[:port] http[s]://<ca-host>[:<port>][/path]`
   

3. Ensuring that ssh-certificates are correctly setup (find a good walk-through at https://bash-prompt.net/guides/ssh-certificates

Further information about oinit-ca is given under technical details.

Last change: Feb 17, 2026 19:12:17