OpenPubkey

OpenPubkey is an open-source security project that bridges modern identity providers with traditional infrastructure tooling, centering on the simple idea of turning any OpenID Connect token into a short-lived, cryptographically verifiable SSH certificate. Its flagship utility, OpenPubkey SSH, replaces long-lived SSH public keys or sprawling authorized_keys files with single-sign-on flows: administrators map familiar identities such as alice@example.com to temporary certificates issued through Google, Azure AD, Okta, or any other OIDC-compliant directory, gaining immediate fine-grained access control, effortless revocation, and an audit trail tied to corporate identity. Because certificates expire quickly and carry no long-term secrets, the attack surface is reduced, key rotation becomes automatic, and onboarding or off-boarding staff requires only directory membership changes. Typical deployments include cloud fleet management, CI/CD pipeline access, container SSH gateways, and secure bastion hosts where traditional PKI would be cumbersome. By eliminating shared secrets and embedding user identity directly into the SSH handshake, the tool satisfies zero-trust principles while remaining transparent to end-users, who continue to run the standard ssh command. OpenPubkey’s software is available for free on get.nero.com, with downloads delivered through trusted Windows package sources such as winget, always installing the latest upstream release and supporting batch installation of multiple applications.