OpenPubkey

"OpenPubkey: OIDC‑Backed SSH and Workload Identity Without PKI Pain"
SSH still runs the world, yet most organizations pay an ongoing “PKI tax” in the form of long‑lived keys, brittle rotation, and sprawling authorized_keys files that quietly outlive teams and incidents. This book is written for experienced security engineers, platform/SRE leaders, and identity-minded builders who want to replace key distribution and homegrown SSH PKI with something simpler: short‑lived, identity-backed access rooted in an existing OIDC provider.
You’ll learn the exact invariants that make OIDC and JWT verification safe in production—issuer and audience pinning, JWKS discovery, caching and rotation strategies, clock skew, and failure handling—and how CLI login flows (browser callbacks, device flow, refresh behavior) shape both UX and threat surface. From there, the book dives into the OpenPubkey protocol itself: PK Tokens, what they prove, how identity is bound to a public key, and the strict division of responsibilities between client and verifier. Finally, it applies these primitives to opkssh, walking end‑to‑end from OIDC login to an SSH session, then into real-world authorization policy, identity-to-Unix mapping, and threat modeling for replay, misconfiguration, and provider hazards—plus workload identity for secretless automation and artifact trust.
Readers should be comfortable with SSH operations and security basics; OIDC is taught from a builder’s perspective with verifier-grade rigor. The focus is practical and operational: hardening checklists, rollout/rollback tactics, and vers