- Key Sprawl: Thousands of orphaned keys across infrastructure
- No Rotation: Keys created in 2018 still granting production access
- No Audit Trail: Who has access to what? Nobody actually knows
- Onboarding Nightmare: New employees wait days/weeks for SSH access
- Offboarding Disaster: Former employees' keys linger indefinitely
- Break Glass: No reliable emergency access when keys are lost
- Compliance Failure: Auditors hate SSH key management (for good reason)
- Ansible/Puppet for key management: Brittle, slow, doesn't scale
- Bastion hosts: Single points of failure, poor UX
- VPN + traditional auth: Still need SSH keys on the other side
- Cloud-specific solutions: Vendor lock-in, incomplete coverage
- Certificate authorities: Complex, brittle, operational overhead
- Shared accounts: Security nightmare, no accountability
- Security teams: Constantly fighting SSH key sprawl
- DevOps teams: Spending more time on access than actual work
- Compliance teams: Unable to demonstrate who has access
- IT teams: Manual provisioning/deprovisioning nightmares
- Developers: Frustrating access delays, multiple key management
- Executives: No visibility into infrastructure access risks
Instead of replacing SSH, enhance it with modern authentication:
- First-time authentication: OIDC Device Flow + Passkeys
- Automatic key provisioning: SSH keys managed centrally via identity provider
- Subsequent access: Standard SSH with auto-managed keys
- Lifecycle management: Automatic rotation, revocation, and audit
- Familiar workflow: Developers still use standard SSH
- Enterprise security: Centralized identity management and MFA
- Modern UX: Passkey authentication via mobile device
- Zero key management: SSH keys handled automatically
- Complete audit trail: Every access attempt logged and tracked
- Instant revocation: Remove from IdP = immediate access loss
- Cloud-native: Works across all cloud providers and on-premises
┌─────────────────────────────────────────────────────────────┐
│ OIDC Provider Layer │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Okta │ │ Azure AD │ │ Auth0 │ │
│ │ + Passkeys │ │ + Passkeys │ │ + Passkeys │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Authentication Broker Layer │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ oidc-auth-broker daemon │ │
│ │ • Device Flow Orchestration │ │
│ │ • Token Management & Caching │ │
│ │ • SSH Key Lifecycle Management │ │
│ │ • Multi-Provider Support │ │
│ │ • Audit Logging & Compliance │ │
│ │ • Cloud Metadata Integration │ │
│ └─────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ PAM Integration Layer │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Console │ │ SSH │ │ GUI │ │
│ │ Login │ │ Access │ │ Login │ │
│ │ │ │ │ │ │ │
│ │ pam_oidc.so │ │ pam_oidc.so │ │ pam_oidc.so │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
└─────────────────────────────────────────────────────────────┘
Purpose: Central orchestration service running on each host Technology: Go with systemd integration Key Features:
- OAuth2 Device Flow implementation
- OIDC provider auto-discovery
- Token caching and refresh
- SSH key lifecycle management
- Unix socket interface for PAM
- Real-time configuration updates
- Comprehensive audit logging
- Cloud metadata integration
- High availability clustering
Purpose: Thin client that integrates with all login types Technology: Go with CGO for PAM interface Key Features:
- Standard PAM interface compliance
- Adaptive UX based on login type (console/SSH/GUI)
- Graceful fallback mechanisms
- Broker communication via Unix sockets
- Zero-configuration operation
- Error handling and retry logic
Purpose: Seamless integration with existing enterprise identity Supported Providers:
- Okta (with Universal Directory)
- Azure Active Directory
- Auth0
- Google Workspace
- AWS IAM Identity Center
- Keycloak
- Any OIDC-compliant provider
$ ssh alice@prod-db-01.company.com
🔐 First-time authentication required
📱 Please visit: https://company.okta.com/device
🔑 Enter code: WDJB-MJHT
⏳ Waiting for authentication...
# On mobile device:
# 1. Scan QR code or click URL
# 2. "Sign in to Company Okta" appears
# 3. "Use passkey?" → Yes
# 4. Face ID/Touch ID authenticates
# 5. "Grant SSH access to alice@prod-db-01?" → Approve
✅ Authentication successful!
🔑 SSH key provisioned automatically
🚀 Future logins will use SSH key authentication
Welcome to prod-db-01!
alice@prod-db-01:~$ $ ssh alice@prod-db-02.company.com
🔑 Using cached authentication
✅ Connected instantly!
alice@prod-db-02:~$ $ ssh alice@prod-db-01.company.com
# Standard SSH key authentication - instant login
alice@prod-db-01:~$ Ubuntu 22.04.3 LTS server01 tty1
server01 login: alice
🔐 OIDC Authentication Required
📱 Scan QR code with your phone:
██████████████████████████████
██ ████ ██ ██████ ██ ████
██ ████ ████ ██ ████ ████
██ ████ ██████ ██████ ████
██████████████████████████████
Or visit: https://company.okta.com/device
Enter code: WDJB-MJHT
⏳ Waiting for authentication... ⠋
✅ Welcome alice!
Last login: Wed Jul 16 10:30:45 2025
alice@server01:~$
The Game Changer: 1Password already handles the complex parts
- Passkey storage and sync across all devices
- SSH key generation and secure storage
- SSH agent integration with biometric unlock
- SCIM provisioning from identity providers
- SSO integration with major OIDC providers
- Admin controls and policy enforcement
- Cross-platform support (Mac, Windows, Linux, mobile)
# Initial setup (done once by IT)
$ op signin company.1password.com
$ op auth configure --oidc-provider okta
# Developer's daily workflow
$ ssh prod-server
# 1Password SSH agent detects first-time access
# 1Password: "This server requires OIDC authentication"
# Browser opens to company.okta.com/device
# 1Password extension: "Sign in with passkey?" → Yes
# Face ID authenticates → SSH key automatically provisioned
# Future SSH attempts use 1Password SSH agent
# Zero additional steps for developer!- Automated provisioning: New employee → Okta → 1Password account → SSH keys
- Centralized policies: Key rotation schedules, MFA requirements
- Audit integration: Complete trail of all SSH key usage
- Emergency access: Admin can grant temporary access via 1Password vault sharing
Bitwarden Business: Similar capabilities with self-hosted options Dashlane Business: SSO integration and team management LastPass Enterprise: (Though security track record is concerning)
# CloudFormation/Terraform deployment
Resources:
OIDCAuthBroker:
Type: AWS::EC2::Instance
Properties:
UserData: !Base64
Fn::Sub: |
#!/bin/bash
# Auto-configure from instance metadata
OIDC_PROVIDER=$(aws ssm get-parameter --name /company/oidc/provider --query Parameter.Value --output text)
CLIENT_ID=$(aws ssm get-parameter --name /company/oidc/client-id --query Parameter.Value --output text)
# Install and configure OIDC PAM
curl -sSL https://github.com/company/oidc-pam/releases/latest/download/install.sh | \
OIDC_PROVIDER=$OIDC_PROVIDER CLIENT_ID=$CLIENT_ID bashAWS-Specific Features:
- Instance metadata integration: Auto-discovery of OIDC configuration
- IAM role integration: Broker can assume roles for cross-account access
- Parameter Store: Secure configuration storage
- CloudTrail integration: All authentication events logged
- Systems Manager: Remote management and updates
# ARM template deployment
resources:
- type: Microsoft.Compute/virtualMachines
properties:
osProfile:
customData: !base64
Fn::Sub: |
#!/bin/bash
# Auto-configure from managed identity
TENANT_ID=$(curl -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://graph.microsoft.com/" | jq -r .tenant_id)
# Configure OIDC PAM with Azure AD
curl -sSL https://github.com/company/oidc-pam/releases/latest/download/install.sh | \
OIDC_PROVIDER="https://login.microsoftonline.com/$TENANT_ID/v2.0" bashAzure-Specific Features:
- Managed Identity integration: Automatic Azure AD configuration
- Key Vault integration: Secure secrets management
- Monitor integration: Detailed authentication analytics
- Conditional Access: Leverage Azure AD policies for SSH access
# Deployment Manager template
resources:
- type: compute.v1.instance
properties:
metadata:
items:
- key: startup-script
value: |
#!/bin/bash
# Auto-configure from instance metadata
PROJECT_ID=$(curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/project/project-id)
# Configure OIDC PAM with Google Workspace
curl -sSL https://github.com/company/oidc-pam/releases/latest/download/install.sh | \
OIDC_PROVIDER="https://accounts.google.com" PROJECT_ID=$PROJECT_ID bashGCP-Specific Features:
- Workload Identity: Service account integration
- Secret Manager: Configuration and key storage
- Cloud Logging: Centralized authentication logs
- Organization policies: Enterprise-wide access controls
// Enhanced device flow with Duo push
type DuoIntegration struct {
ApiHostname string
ClientID string
ClientSecret string
}
func (d *DuoIntegration) EnhanceDeviceFlow(deviceCode string, userInfo OIDCUserInfo) error {
// After OIDC authentication, trigger Duo push
duoAuthID := d.CreateDuoAuth(userInfo.Username, deviceCode)
// Wait for Duo approval
for {
status := d.CheckDuoAuth(duoAuthID)
if status == "allow" {
return nil
}
if status == "deny" {
return errors.New("Duo authentication denied")
}
time.Sleep(2 * time.Second)
}
}// YubiKey FIDO2/WebAuthn through OIDC provider
// No server-side YubiKey integration needed!
// User's YubiKey authenticates to Okta/Azure AD via WebAuthn
// OIDC token includes YubiKey attestation claims
func validateYubiKeyAttestation(token *jwt.Token) error {
claims := token.Claims.(jwt.MapClaims)
// Check for YubiKey-specific claims
if amr, ok := claims["amr"].([]interface{}); ok {
for _, method := range amr {
if method == "hwk" || method == "fido" {
return nil // Hardware key used
}
}
}
return errors.New("Hardware authentication required")
}type RiskAssessment struct {
UserLocation string
DeviceFingerprint string
TimeOfAccess time.Time
AccessPattern string
NetworkTrust string
}
func (b *Broker) AssessRisk(userInfo OIDCUserInfo, context AuthContext) RiskLevel {
risk := RiskLevel{Score: 0}
// Geographic anomaly detection
if b.isUnusualLocation(userInfo.Username, context.SourceIP) {
risk.Score += 30
risk.Factors = append(risk.Factors, "Unusual geographic location")
}
// Time-based analysis
if b.isUnusualTime(userInfo.Username, context.Timestamp) {
risk.Score += 20
risk.Factors = append(risk.Factors, "Access outside normal hours")
}
// Network trust level
if context.NetworkTrust == "untrusted" {
risk.Score += 40
risk.Factors = append(risk.Factors, "Access from untrusted network")
}
// Determine action based on risk score
if risk.Score >= 70 {
risk.Action = "REQUIRE_ADDITIONAL_MFA"
} else if risk.Score >= 40 {
risk.Action = "REQUIRE_APPROVAL"
} else {
risk.Action = "ALLOW"
}
return risk
}type JITAccessRequest struct {
UserID string
TargetResources []string
RequestedAccess string
BusinessJustification string
Duration time.Duration
ApprovalRequired bool
}
func (b *Broker) HandleJITRequest(req JITAccessRequest) (*JITAccessGrant, error) {
// Create time-limited access grant
grant := &JITAccessGrant{
UserID: req.UserID,
Resources: req.TargetResources,
ExpiresAt: time.Now().Add(req.Duration),
GrantID: generateGrantID(),
}
// Generate temporary SSH key pair
tempKeyPair, err := b.generateTempSSHKey(grant.GrantID)
if err != nil {
return nil, err
}
// Provision temporary access
for _, resource := range req.TargetResources {
err := b.provisionTempAccess(resource, tempKeyPair.PublicKey, grant.ExpiresAt)
if err != nil {
b.logger.Error("Failed to provision temp access", "resource", resource, "error", err)
}
}
// Schedule automatic revocation
b.scheduleRevocation(grant)
return grant, nil
}type AuditEvent struct {
Timestamp time.Time `json:"timestamp"`
EventID string `json:"event_id"`
EventType string `json:"event_type"` // "authentication", "authorization", "key_rotation", etc.
// User context
UserID string `json:"user_id"`
UserEmail string `json:"user_email"`
UserGroups []string `json:"user_groups"`
// Authentication details
AuthMethod string `json:"auth_method"` // "oidc_passkey", "ssh_key", "fallback"
OIDCProvider string `json:"oidc_provider"`
MFAMethods []string `json:"mfa_methods"`
// Access context
SourceIP string `json:"source_ip"`
UserAgent string `json:"user_agent"`
TargetResource string `json:"target_resource"`
AccessGranted bool `json:"access_granted"`
// Risk assessment
RiskScore int `json:"risk_score"`
RiskFactors []string `json:"risk_factors"`
// Technical details
SessionID string `json:"session_id"`
TokenFingerprint string `json:"token_fingerprint"`
SSHKeyFingerprint string `json:"ssh_key_fingerprint"`
// Compliance fields
Regulation []string `json:"regulation"` // "SOX", "PCI", "HIPAA", etc.
DataClassification string `json:"data_classification"`
}// Splunk integration
func (a *AuditLogger) SendToSplunk(event AuditEvent) error {
splunkEvent := map[string]interface{}{
"time": event.Timestamp.Unix(),
"host": a.hostname,
"source": "oidc-pam",
"sourcetype": "oidc:authentication",
"event": event,
}
return a.splunkClient.LogEvent(splunkEvent)
}
// ELK Stack integration
func (a *AuditLogger) SendToElasticsearch(event AuditEvent) error {
indexName := fmt.Sprintf("oidc-audit-%s", time.Now().Format("2006.01.02"))
return a.esClient.Index(indexName, event)
}
// Security tool integration
func (a *AuditLogger) SendToSecurityHub(event AuditEvent) error {
if event.RiskScore >= 70 {
finding := SecurityFinding{
Title: "High-risk SSH authentication attempt",
Description: fmt.Sprintf("User %s attempted SSH access with risk score %d", event.UserID, event.RiskScore),
Severity: "HIGH",
Evidence: event,
}
return a.securityHub.CreateFinding(finding)
}
return nil
}# /etc/oidc-auth/policies.yaml
version: "1.0"
policies:
# Global authentication policies
authentication:
require_mfa: true
max_session_duration: "8h"
token_refresh_threshold: "1h"
# Risk-based policies
risk_policies:
- condition: "risk_score >= 70"
action: "require_additional_mfa"
- condition: "unusual_location AND after_hours"
action: "require_approval"
- condition: "untrusted_network"
action: "require_admin_approval"
# Resource-specific policies
resources:
production:
require_groups: ["production-access", "senior-engineers"]
max_session_duration: "4h"
require_approval: true
audit_level: "detailed"
development:
require_groups: ["developers", "contractors"]
max_session_duration: "12h"
audit_level: "standard"
# Sensitive data systems
pci_systems:
require_groups: ["pci-authorized"]
require_hardware_mfa: true
max_session_duration: "2h"
require_continuous_auth: true
data_classification: "PCI"
# Time-based access controls
time_restrictions:
- resources: ["production", "pci_systems"]
allowed_hours: "06:00-22:00"
timezone: "UTC"
exceptions: ["on-call-group"]
# Emergency access procedures
emergency_access:
break_glass_roles: ["incident-commander", "security-admin"]
approval_required: true
max_duration: "1h"
automatic_notification: ["security-team", "compliance-team"]type BrokerCluster struct {
Nodes []BrokerNode
LoadBalance LoadBalancer
HealthCheck HealthChecker
Failover FailoverManager
}
func (c *BrokerCluster) HandleAuthRequest(req AuthRequest) (*AuthResponse, error) {
// Select healthy broker node
node := c.LoadBalance.SelectNode(c.Nodes)
if node == nil {
return nil, errors.New("No healthy broker nodes available")
}
// Attempt authentication
resp, err := node.Authenticate(req)
if err != nil {
// Failover to backup node
backupNode := c.Failover.SelectBackup(node)
if backupNode != nil {
return backupNode.Authenticate(req)
}
return nil, err
}
return resp, nil
}// Redis-based state sharing between broker instances
type StateManager struct {
redis *redis.Client
etcd *etcd.Client
localCache *cache.Cache
}
func (s *StateManager) StoreTokenCache(userID string, token TokenCache) error {
// Store in multiple backends for redundancy
data, _ := json.Marshal(token)
// Primary: Redis with TTL
err := s.redis.SetEX(fmt.Sprintf("token:%s", userID), data, token.ExpiresIn).Err()
if err != nil {
s.logger.Warn("Failed to store token in Redis", "error", err)
}
// Secondary: etcd for consistency
_, err = s.etcd.Put(context.Background(), fmt.Sprintf("/oidc-auth/tokens/%s", userID), string(data))
if err != nil {
s.logger.Warn("Failed to store token in etcd", "error", err)
}
// Local cache for performance
s.localCache.Set(userID, token, token.ExpiresIn)
return nil
}Core Infrastructure
- Authentication broker daemon (Go)
- Basic PAM module with CGO interface
- OIDC Device Flow implementation
- Unix socket IPC between PAM and broker
- Basic configuration system
- Console and SSH authentication support
- Unit and integration test framework
Deliverables:
- Working prototype for SSH authentication
- Basic OIDC provider integration (Okta, Azure AD)
- Development and testing environment
Enhanced UX and Display
- QR code generation and display
- Terminal capability detection
- GUI desktop integration (notifications)
- Mobile-optimized authentication pages
- Progress indicators and user feedback
- Error handling and user guidance
Deliverables:
- Polished user experience across all login types
- Mobile-first authentication flow
- Comprehensive error handling
Enterprise Features
- 1Password SSH agent integration
- Advanced audit logging and SIEM integration
- Policy engine and risk-based authentication
- Cloud provider metadata integration (AWS, Azure, GCP)
- Multi-provider OIDC support
- High availability and clustering
Deliverables:
- Enterprise-ready authentication solution
- Complete audit and compliance features
- Cloud-native deployment options
Advanced Features
- Just-in-time access provisioning
- Hardware security module integration
- Continuous authentication and session management
- Advanced MFA scenarios (Duo, YubiKey, etc.)
- Zero-trust network integration
- Machine identity support
Deliverables:
- Advanced security features
- Zero-trust architecture support
- Complete MFA ecosystem integration
Production Readiness
- Performance optimization and caching
- Monitoring and observability
- Automated deployment and configuration
- Disaster recovery and backup procedures
- Documentation and training materials
- Customer pilot programs
Deliverables:
- Production-ready solution
- Complete operational runbooks
- Customer success stories
- Size: 50,000+ companies with 100+ cloud instances
- Pain Points: SSH key sprawl, compliance requirements, security incidents
- Budget: $50K-$500K annual budget for identity and access management
- Decision Makers: CISOs, Cloud Architects, DevOps Directors
- Financial Services: Banks, fintech, payment processors
- Healthcare: Hospitals, health tech, pharmaceutical
- Government: Federal agencies, defense contractors
- Specific Needs: Strict compliance, audit trails, risk management
- Characteristics: Distributed teams, cloud infrastructure, security-conscious
- Needs: Seamless remote access, modern authentication, user experience
- Growth: Rapidly expanding market post-COVID
HashiCorp Vault SSH:
- ✅ Enterprise-grade secret management
- ❌ Complex setup and operational overhead
- ❌ Requires Vault infrastructure
- ❌ Poor user experience for developers
Teleport:
- ✅ Comprehensive access plane solution
- ❌ Requires complete infrastructure replacement
- ❌ Expensive licensing model
- ❌ Vendor lock-in concerns
AWS Systems Manager Session Manager:
- ✅ Integrated with AWS infrastructure
- ❌ AWS-only solution
- ❌ Limited SSH functionality
- ❌ Poor cross-cloud support
CyberArk Privileged Access:
- ✅ Enterprise security features
- ❌ Complex deployment and management
- ❌ Expensive enterprise pricing
- ❌ Traditional architecture
Smallstep SSH:
- ✅ Modern certificate-based approach
- ❌ Limited enterprise features
- ❌ Complex certificate management
- ❌ Requires infrastructure changes
- Leverages existing infrastructure: Works with current OIDC providers
- Familiar user experience: Standard SSH workflow maintained
- Modern authentication: Passkeys and mobile-first design
- Enterprise integration: Deep integration with existing tools
- Cloud-native: Designed for modern cloud architectures
- Open source foundation: Transparent, extensible, community-driven
- Core product: Open source under Apache 2.0
- Revenue streams:
- Enterprise support subscriptions ($10K-$100K/year)
- Professional services and implementation
- Training and certification programs
- Premium enterprise features (advanced analytics, compliance reporting)
- Free tier: Up to 10 servers, basic features
- Pro tier: $5-10/server/month, advanced features
- Enterprise tier: Custom pricing, white-glove support
- Traditional software licensing: $50K-$500K initial license
- Annual maintenance: 20% of license fee
- Professional services: Custom implementation and integration
- Open source release: GitHub, comprehensive documentation
- Developer evangelism: Conference talks, blog posts, demos
- Community building: Discord/Slack, contributor programs
- Content marketing: Technical deep-dives, use case studies
- Pilot programs: Free implementation for select customers
- Case studies: Success stories and ROI documentation
- Partner ecosystem: Integration with 1Password, Okta, etc.
- Industry events: RSA, re:Invent, KubeCon presentations
- Sales team: Enterprise sales specialists
- Channel partnerships: Cloud providers, system integrators
- Marketing automation: Lead generation and nurturing
- International expansion: EU, APAC market entry
- Passkeys adoption: Major platforms (iOS, Android, Windows) now support passkeys
- Zero-trust architecture: Enterprises moving away from VPN-based access
- Cloud-native security: Traditional perimeter security is obsolete
- Developer experience focus: Companies prioritizing developer productivity
- Compliance automation: Manual compliance processes are unsustainable
- SSH key management crisis: Current solutions don't scale
- Security incident awareness: High-profile breaches highlight access management risks
- Remote work normalization: Distributed teams need better access solutions
- Cloud adoption maturity: Enterprises have OIDC infrastructure in place
- Mobile-first mindset: Users expect smartphone-based authentication
- Hybrid approach: Combines modern auth with familiar SSH workflows
- Vendor agnostic: Works with any OIDC provider, any cloud
- Minimal infrastructure: Leverages existing identity systems
- Open source: Transparent, auditable, extensible
- Enterprise-ready: Built for compliance and scale from day one
- Clear architecture: Well-defined technical approach
- Proven components: Building on established technologies (OIDC, PAM, SSH)
- Incremental deployment: Can be rolled out gradually
- Risk mitigation: Fallback mechanisms protect against failure
- Community potential: Open source can drive rapid adoption
This isn't just another authentication solution - it's the missing link that makes modern identity work with traditional infrastructure. By combining:
- Enterprise identity systems (Okta, Azure AD) that companies already have
- Modern authentication (Passkeys) that users actually want to use
- Traditional SSH that developers and operations teams rely on
- Cloud-native architecture that scales with modern infrastructure
We're creating a solution that actually works in the real world, rather than requiring enterprises to rebuild their entire access infrastructure.
The market is ready, the technology is mature, and the pain point is acute. This is the perfect storm for a breakthrough solution that can define the next generation of enterprise authentication.
Time to build it. 🚀