Solve infrastructure access challenges, stop lateral movement and avoid complex SSH key, password and credential management.
Learn How Passwordless Auth and Multiple Roots of Trust Are Transforming Infrastructure Access.
Avoid the hassle of managing SSH keys and advance your security posture by using Bastion Zero for zero trust SSH.
Read unique technical insights from the BastionZero team
Learn more about BastionZero from our resource center
Learn how BastionZero works and get it working in your environment
Download BastionZero's Windows agent and Windows ZLI here
Frequently asked questions about OpenPubkey
Documentation on OpenPubkey SSH
OpenPubkey on Github Repo
Blogs, Videos, Webinars and OpenPubkey links to communities, slack channel and TSC meetings
Use OpenPubkey today to SSH to machines on your network without SSH keys.
Documentation onOpenPubkey SSH
Blog
Sharon Goldberg, CEO, BastionZero
A few days ago, Richard Barnes (from Cisco) and I submitted a new internet draft to the Internet Engineering Task Force (IETF)’s OAuth working group. (This is the very first step on the long road to publishing an RFC in the IETF internet standards process.) In the draft we introduce PIKA: Proof of Issue Key Authority, to solve a problem relevant to OpenPubkey, OpenID Connect (OIDC) and JWTs (JSON Web Tokens) in general. PIKAs allow us to cache and redistribute an OpenID Provider (OP)’s public keys. In this blog, I’ll introduce the OpenPubkey issue that led me to get interested and start working on PIKAs, explain what PIKAs are, and show how they allow OPs to provide long-lived bindings of public keys to identities. And why PIKAs apply to much more than just OpenPubkey.
Ethan Heilman, CTO, BastionZero
When we first released OpenPubkey, it was interoperable with many OPs (like Google and GitHub), but not with all of them. In fact, when we started this project, there was an actual technological limitation that prevented OpenPubkey from working with certain OPs, including GitLab’s OP. And support for GitLab’s OP was one of our most requested features. Well, today I’m happy to announce that last week’s release of OpenPubkey v0.3.0 smashes through this limitation. OpenPubkey now interoperates with any OpenID Provider.
Video
Ethan Heilman, CTO, BastionZero and Ann Ming Samborski, Product Management Lead, BastionZero
Hear from Ethan Heilman, CTO, BastionZero and Ann Ming Samborski, Product Management Lead, BastionZero as they discuss the highlights from the latest release of OpenPubkey (v0.3) and how you can get involved in the OpenPubkey community.
I’m happy to announce we have a new release of OpenPubkey (Release v0.3.0). I want to thank all 10 contributors whose hard work got this release over the finish line: @asamborski @EthanHeilman @lgmugnier @mrjoelkamp @jonnystoten and especially the new contributors: @johncmerfeld @kipz @tg123 @ymarcus93. OpenPubkey is a protocol for leveraging OpenID Providers (OPs) to bind identities to public keys. It adds user- or workload-generated public keys to OpenID Connect (OIDC), enabling entities to sign messages or artifacts under their OIDC identity.
Ethan Heilman, CTO at BastionZero and Jonny Stoten, Senior Software Engineer at Docker, Inc.
Giving people the ability to sign messages under their identity is extremely powerful. For instance, this functionality lets you SSH into servers, sign software artifacts, and create end-to-end encrypted communications under your single sign-on (SSO) identity. The OpenPubkey protocol and open source project brings the power of digital signatures to both people and workloads without adding trusted parties. OpenPubkey is built on the OpenID Connect (OIDC) SSO protocol, which is supported by major identity providers, including Google, Microsoft, Okta, and Facebook. This article will explore how OpenPubkey works and looks at three use cases in detail.
Tune in to this on-demand webinar and hear how Ivan Pedrazas, Principal Software Engineer at Docker, Inc and Lucie Mugnier, Technical Lead at BastionZero explore the basics of #OpenPubkey #SSH in our upcoming webinar.
Single Sign-On (SSO) has become one of the most common ways for users to access applications and infrastructure. While there is a standard authentication protocol for SSO called OpenID Connect (OIDC), it’s missing a crucial security feature: the ability to bind public keys to identities. That’s why we created OpenPubkey — an open source project that enhances SSO security by introducing a cryptographic object known as a PK Token that binds public keys to identities. In this post, we’ll introduce OpenPubkey and share a few of its early use cases from Docker and BastionZero.
Product Documentation
OpenPubkey SSH enables SSH access without the need for SSH keys. Start now by following our guides in our product documentation section.
This segment, taken from Sharon Goldberg's DevOps Days Boston 2023 presentation titled "Securing your CICD Pipeline" introduces OpenPubkey.OpenPubkey was invented by the engineers and PhD cryptographers at BastionZero. We believe this technology is so foundational that we are now making it available through the OpenPubkey Linux Foundation project.
OpenPubkey Community
Join our OpenPubkey Community to learn more about what's new with OpenPubkey.
Join the OpenSSF Slack to learn more and chat with like-minded folks.
OpenPubkey community meetings happen on the third Wednesday of the month at 9AM/12PM PT/ET and run for about an hour.
OpenPubkey is the web's new technology for adding public keys to standard SSO interactions with Identity Providers (IdPs) that speak OpenID Connect (OIDC). OpenPubkey works by essentially turning an IdP into a Certificate Authority (CA). Read more in this informative blog.
Technical Steering Committee Meetings are monthly on the first Wednesday of the month from 9AM/12PM PT/ET - 10AM/1PM PT/ET.
What if you could SSH without having to worry about SSH keys? Without the need to worry about SSH keys getting lost, stolen, share, rotated or forgotten? In this blog, I'll walk you through how you can SSH to your remote Docker setups with just your email account or Single Sign-On (SS0).
