oidc-ssh-ca

Getting started

  • Quickstart
    • 0. Build the binary
    • 1. Generate the CA key
    • 2. Write the policy
    • 3. Run the server
    • 4. Trust the CA on target servers
    • 5. Use it from GitHub Actions

Deployment

  • Choosing a deployment
  • Google Cloud Run
    • 1. Create the CA key and policy
    • 2. Store both in Secret Manager
    • 3. Deploy
    • Updating the policy
    • Emergency stop
  • Docker Compose + Caddy
    • Prerequisites
    • Setup
    • Operations
    • Compared to systemd
  • AWS Lambda with the AWS CLI
    • 1. Build the zip
    • 2. Create the execution role
    • 3. Create the function
    • 4. Create the Function URL
    • Operations
  • AWS Lambda with Terraform
    • 1. Build the zip
    • 2. main.tf
    • 3. Apply
    • Operations
  • systemd
    • Install
    • TLS
    • Operations

Target servers

  • Configuring target servers
    • How certificate login works
    • 1. Install the CA public key
    • 2. Authorize principals for each login user
    • 3. Configure sshd
    • 4. Validate and reload
    • 5. Test the login
    • CA key rotation
    • Doing this across many servers
  • Configuring target servers with Ansible
    • Requirements
    • Usage
    • Variables
    • Notes

Reference

  • Policy reference
    • File structure
    • Top-level fields
      • version
      • disabled
      • defaults
      • rules
    • defaults
      • defaults.valid_after_offset_seconds
      • defaults.max_valid_for_seconds
      • defaults.allowed_public_key_types
      • defaults.extensions
    • rules entries
      • name
      • enabled
      • match
      • match.jwt.issuer
      • match.jwt.audience
      • match.jwt.claims_exact
      • certificate
      • certificate.principals
      • certificate.valid_for_seconds
      • certificate.key_id_template
      • certificate.extensions
    • Matching semantics
    • key_id_template expansion
    • Validating and debugging
    • Complete example
  • The /sign API
    • Request
    • Success response
    • Error responses
  • Command reference
    • serve
    • lambda
    • check-config
    • explain
    • print-ca-pub
    • CA key sources
  • Operations
    • Audit log
    • Policy reload
    • Emergency stop
    • CA key rotation

Development

  • Building
    • Prerequisites
    • Build the binary
    • Cross-compile
    • Build the container image
    • Verify the build
    • Build the documentation
  • Testing
oidc-ssh-ca
  • Search

© Copyright 2026, Atsuo Ishimoto.

Built with Sphinx using a theme provided by Read the Docs.