GitHub Repository

OIDC SSH login for Linux with DPoP — replace static SSH keys with IdP-issued tokens, no gateway

23 starsRust

Prmana – OIDC SSH Login for Linux with DPoP (Rust, Apache 2.0)

Name: Prmana – OIDC SSH Login for Linux with DPoP (Rust, Apache 2.0)
Availability: InStock
Author: cbchhaya

by cbchhaya·Apr 14, 2026·3 points·1 comment

Visit Project View on HN

AI Analysis

●●SolidNiche GemShip ItSolve My Problem

DPoP-bound OIDC tokens replace static SSH keys without requiring a gateway or CA.

Strengths

•DPoP implementation prevents token replay attacks better than standard bearer tokens.
•Uses standard sshd and PAM, avoiding complex gateway infrastructure or proxies.
•Rust implementation supports YubiKey and TPM 2.0 hardware keys for storage.

Weaknesses

•Early stage with minimal stars and no visible community adoption yet.
•Requires PAM configuration on every host, potentially fragile at large scale.

Post Description

prmana replaces static SSH keys with short-lived OIDC tokens validated at the host through PAM. What makes it different from other OIDC-for-SSH approaches is DPoP (RFC 9449) — every authentication includes a cryptographic proof that the token holder has the private key. Stolen tokens can't be replayed.

Three components: a PAM module (pam_prmana.so), a client agent (prmana-agent), and a shared OIDC/JWKS library (prmana-core). All Rust.

DPoP keys can be software, YubiKey (PKCS#11), or TPM 2.0. No gateway, no SSH CA, no patches to sshd. Standard ssh client, standard sshd, PAM in between.

Tested against Keycloak, Auth0, Google, and Entra ID.

The name is from Sanskrit — pramana (प्रमाण) means "proof."