|
|
|
|
|
|
by EthanHeilman
449 days ago
|
|
|
That documentation refers to a much older and closed source version of opkssh. > It seems like to use OpenPubKey you also need a fairly modern version of OpenSSH. On versions of OpenSSH older than 8.1 (2019), you may run into issues if you have a huge ID Token. That shouldn't be a problem for standard sized ID Tokens, some enterprise OIDC solutions put the phone book in an ID Token and we have to care about that. > It also requires that the user authenticating have sudo access on the machine, which doesn't sound great. The user authenticating does not need sudo access. You only need sudo access to install it. You need sudo to install most software in on servers. > It's not clear to me whether it's possible for the existing authorized_keys file to co-exist or whether that's just to stop access using existing keys opkssh works just fine in parallel to authorized_keys. We are using AuthorizedKeyCommand config option in sshd_config, so opkssh functions like an additional authorized_keys file. My recommendation is that you use authorized_keys as a breakglass mechanism. |
|
|