Cloudflare has released an open-source tool called OPKSSH (OpenPubkey SSH), which allows developers and IT teams to use identity-based single sign-on instead of traditional SSH keys for server access. The move aims to improve both security and usability for managing secure shell (SSH) connections.
The tool integrates OpenID Connect (OIDC) — a widely used identity authentication protocol — into the SSH process. Instead of relying on long-lived private keys, OPKSSH generates short-term, ephemeral keys based on a user’s login session with an identity provider. This reduces the risk of key theft and simplifies access management across teams.
“Users can generate SSH credentials by signing in with their identity provider,” said Cloudflare in the announcement. “This lets them connect to servers from any device with OPKSSH installed, without needing to carry private keys.”
Originally developed by BastionZero, now part of Cloudflare, OPKSSH has been released under the Apache 2.0 open source license. Administrators can authorize users by email, improving visibility and access tracking. The project has been contributed to the broader OpenPubkey ecosystem and is now available on GitHub.
