# Install opkssh with Homebrew, apt, dnf, Nix, winget

Enables SSH to be used with OpenID Connect. Version 0.15.0 via Homebrew; verified 2026-06-24.

## Install

```sh
sudo av install brew:opkssh
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install opkssh
```

  Evidence: local Homebrew formula metadata

### Linux

- Debian apt (92%):

```sh
sudo apt install golang-github-openpubkey-opkssh-dev
```

  Evidence: Debian stable package indexes: golang-github-openpubkey-opkssh-dev from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install opkssh
```

  Evidence: Fedora Rawhide package metadata: opkssh from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#opkssh
```

  Evidence: nixpkgs package indexes: pkgs/by-name/op/opkssh/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

### Windows

- winget (92%):

```sh
winget install --id openpubkey.opkssh -e
```

  Evidence: Windows Package Manager source index: openpubkey.opkssh from https://cdn.winget.microsoft.com/cache/source.msix

## Package facts

- **Package key:** brew:opkssh
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/opkssh>
- **Version:** 0.15.0
- **Source summary:** Enables SSH to be used with OpenID Connect
- **Homepage:** <https://eprint.iacr.org/2023/296>
- **Repository:** <https://github.com/openpubkey/opkssh>
- **Upstream docs:** <https://github.com/openpubkey/opkssh#readme>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/openpubkey/opkssh/archive/refs/tags/v0.15.0.tar.gz>
- **Last updated:** 2026-06-24T19:03:06Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- opkssh (cli)
- opkssh (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.15.0
- Package-manager updated: 2026-06-24
- Local data: ok
- Upstream repository: https://github.com/openpubkey/opkssh
- Upstream latest detected: v0.15.0 (current)
## Project history and usage

opkssh, short for OpenPubkey SSH, brings OpenID Connect identity into ordinary SSH login flows. It lets administrators authorize identities such as email addresses and groups instead of distributing long-lived SSH public keys, while still using the stock SSH client and server protocol.

### Project history

The tool is built on OpenPubkey, a protocol described in a 2023 IACR paper that binds a user-held public key into an OpenID Connect ID Token, turning that token into what the authors call a PK Token. opkssh applies that idea to SSH by generating an SSH key/certificate carrying the PK Token and by configuring sshd to verify it.

Cloudflare announced on 2025-03-25 that it had open-sourced OPKSSH under the OpenPubkey project. The announcement says the OpenPubkey protocol became an open source Linux Foundation project in 2023, while OPKSSH had remained closed source under BastionZero, later Cloudflare, until the donation.

### Adoption history

The project moved quickly into normal package-manager territory for a security tool: its metadata lists packages for Homebrew, Debian development packages, Fedora, Nix, and Windows winget, and the README documents Homebrew, winget, Chocolatey, Nix, and direct binary installs.

### How it is used

A user runs `opkssh login`, authenticates in a browser with an OpenID Provider, and receives a generated SSH key whose public side contains the OpenPubkey token. On the server, opkssh is used through sshd's `AuthorizedKeysCommand` hook, so the verifier can extract the PK Token, validate the identity provider signature and expiry, and map the identity to a Unix or Windows account.

Operators use `/etc/opk/providers` to choose trusted OpenID Providers and client IDs, and `/etc/opk/auth_id` or per-user equivalents to authorize identities, subjects, or group claims. The design gives SSH administrators an SSO-style access list without changing the SSH wire protocol.

### Why package nerds care

opkssh is interesting because it packages an identity-protocol research result as a small CLI that plugs into a decades-old Unix extension point. For package nerds, the notable bit is not a new daemon or a replacement SSH stack, but a cross-platform binary that makes SSH key lifecycle policy distributable through package managers.

### Timeline

- 2023: OpenPubkey is published as a protocol for binding OpenID Connect ID Tokens to user-held public keys.
- 2023: OpenPubkey becomes an open source Linux Foundation project, according to Cloudflare's OPKSSH open-source announcement.
- 2025-03-25: Cloudflare announces that OPKSSH has been donated to the OpenPubkey project and released as open source.

### Related projects

- OpenPubkey is the underlying protocol. OpenSSH supplies the client/server behavior and `AuthorizedKeysCommand` integration point. The broader ecosystem includes OpenID Providers such as Google, Microsoft Entra ID, GitLab, Keycloak, Authentik, Authelia, Zitadel, and similar OIDC services.

### Sources

- <https://blog.cloudflare.com/open-sourcing-openpubkey-ssh-opkssh-integrating-single-sign-on-with-ssh/>
- <https://eprint.iacr.org/2023/296>
- <https://formulae.brew.sh/formula/opkssh>
- <https://github.com/openpubkey/opkssh>


## Security Notes

broad file, network, media, or database tool signal.

- **Geiger risk:** blue / medium
- broad file, network, media, or database tool signal


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Linux: /etc/opk/providers, /etc/opk/auth_id, /etc/opk/policy.d/*.yml
- Unix: ~/.opk/config.yml
- Windows: %ProgramData%\opk\providers, %ProgramData%\opk\auth_id
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** opkssh
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Debian apt - golang-github-openpubkey-opkssh-dev - 0.4.0-1: normalized package name match | Debian stable package indexes: golang-github-openpubkey-opkssh-dev from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | OpenPubkey SSH tools for OpenID SSH logins (library) | https://github.com/openpubkey/opkssh
- Debian apt - opkssh - 0.4.0-1+b2: normalized package name match | Debian stable package indexes: opkssh from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | OpenPubkey SSH tools for OpenID SSH logins (program) | https://github.com/openpubkey/opkssh
- Nix - opkssh: normalized package name match | nixpkgs package indexes: pkgs/by-name/op/opkssh/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- dnf - opkssh - 0.14.0-2.fc45: normalized package name match | Fedora Rawhide package metadata: opkssh from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | OpenPubkey SSH | https://github.com/openpubkey/opkssh
- dnf - opkssh-doc - 0.14.0-2.fc45: normalized package name match | Fedora Rawhide package metadata: opkssh-doc from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Documentation for OpenPubkey SSH | https://github.com/openpubkey/opkssh
- dnf - opkssh-server - 0.14.0-2.fc45: normalized package name match | Fedora Rawhide package metadata: opkssh-server from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Server configuration for OpenPubkey SSH | https://github.com/openpubkey/opkssh
- dnf - opkssh-server-selinux - 0.14.0-2.fc45: normalized package name match | Fedora Rawhide package metadata: opkssh-server-selinux from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | SELinux policy for OpenPubkey SSH | https://github.com/openpubkey/opkssh
- winget - openpubkey.opkssh: normalized package name match | Windows Package Manager source index: openpubkey.opkssh from https://cdn.winget.microsoft.com/cache/source.msix


## Related links

- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [pocket-id](https://www.automicvault.com/pkg/brew/pocket-id/) - Shares av.db curated category or tags: authentication, cli, identity-access, oidc, security.
- [signmykey](https://www.automicvault.com/pkg/brew/signmykey/) - Shares av.db curated category or tags: cli, identity-access, security, ssh.
- [granted](https://www.automicvault.com/pkg/brew/granted/) - Shares av.db curated category or tags: cli, identity-access, security.
- [monkeysphere](https://www.automicvault.com/pkg/brew/monkeysphere/) - Shares av.db curated category or tags: authentication, cli, security, ssh.
- [oauth2_proxy](https://www.automicvault.com/pkg/brew/oauth2-proxy/) - Shares av.db curated category or tags: authentication, cli, oidc, security.
- [shibboleth-sp](https://www.automicvault.com/pkg/brew/shibboleth-sp/) - Shares av.db curated category or tags: authentication, cli, security, single-sign-on.
- [authoscope](https://www.automicvault.com/pkg/brew/authoscope/) - Shares av.db curated category or tags: authentication, cli, security.
- [cyrus-sasl](https://www.automicvault.com/pkg/brew/cyrus-sasl/) - Shares av.db curated category or tags: authentication, cli, security.
- [dexidp](https://www.automicvault.com/pkg/brew/dexidp/) - Security-sensitive metadata or terminology overlaps. Shared terms: authentication, cli, connect, identity, openid.

## Combined YAML source

View the package source record on GitHub. [combined/opkssh.yml](https://github.com/automic-vault/db/blob/main/combined/opkssh.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
