Where and how to install the components

Packages are available for the majority of linux distributions from our KIT repo server.

Some of these packages are available for Mac (via homebrew), too.

Windows ssh-client users have reported to be happy with WSL.

The examples show the installation with debian based systems. We are confident that you are smart enought to install the same package using yum, or zypper. ;)

TODO: Click on the linked names to go to the configuration sections of the softwares

SSH Client

Access TokensSSH Certificates

You need mccli, we also recommend oidc-agent.

####
# as an admin:
apt install oidc-agent pipx

####
# as a user:
pipx install mccli

# if no oidc-agent account is yet installed, do so now:
# details: https://indigo-dc.gitbook.io/oidc-agent/user/oidc-gen

You need oinit, we also recommend oidc-agent.

apt install oinit oidc-agent

SSH Server

Access TokensSSH Certificates

You need motley-cue and pam-ssh-oidc.

You may remove the -autoconfig from the package name, if you want to edit files in /etc/pamd.d/ manually details here.

apt install motley-cue pam-ssh-oidc-autoconfig

To verify the installation: ssh to the host (with any username). Your client should prompt “Access Token:”, and alternate the prompt with “Password:”.

You need motley-cue and oinit-openssh, as well as oinit-ca.

The oinit-ca may also be deployed on a dedicated ssh-ca host.

apt install motley-cue oinit-openssh oinit-ca

Once the first login worked

• You will likely want to configure the way usernames and groups are configured in Motley Cue.

Last change: Aug 18, 2025 11:21:32