BastionZero introduces a new approach to using OpenPubkey, expanding from file signing to Secure Shell login. This allows for Secure Shell login without embedding public keys in the server, eliminating the risk of expired or compromised keys.
The OpenPubkey SSH project is divided into two parts. The first part involves creating an SSH certificate with a PK Token obtained from an OpenID Connect login. On the server side, a certificate verification program relies on the PK Token.
OpenSSH already supports certificate verification using a Certification Authority (CA). In the past, large organizations may have used a CA to issue short-lived certificates for users. However, with OpenPubkey, users can create their own certificates through Gmail or other OpenID Connect logins, eliminating the need for managing a CA.
TLDR: BastionZero introduces OpenPubkey for Secure Shell login, eliminating the need for embedding public keys on servers. OpenPubkey allows users to create their own certificates using Gmail or other OpenID Connect logins, reducing the reliance on a Certification Authority.
Leave a Comment