A comprehensive Linux authentication solution using OpenID Connect (OIDC) that modernizes SSH, console, and GUI logins with passkey support, automatic SSH key management, and enterprise-grade audit capabilities.
- Modern Authentication: Replace SSH keys with OIDC + Passkeys
- Universal PAM Integration: Works with SSH, console, and GUI logins
- Automatic SSH Key Management: Generate, rotate, and revoke SSH keys automatically
- Enterprise Identity Integration: Support for Okta, Azure AD, Auth0, Google Workspace, AWS IAM Identity Center, and any OIDC provider
- Mobile-First UX: Authenticate via QR codes and mobile passkeys
- Comprehensive Audit: Complete access trails for compliance (SOC 2, PCI, HIPAA)
- Cloud-Native: Auto-configuration for AWS, Azure, and GCP
- Research Computing: Special features for academic and scientific computing
Traditional SSH key management is broken:
- Key Sprawl: Thousands of orphaned keys across infrastructure
- No Rotation: Keys created years ago still granting access
- No Audit Trail: No visibility into who has access to what
- Poor UX: Manual key distribution and management
- Security Gaps: No MFA, no real-time revocation
OIDC PAM provides a modern, secure, and user-friendly alternative.
┌─────────────────────────────────────────────────────────────┐
│ OIDC Provider Layer │
│ Okta/Azure AD/Auth0 + Passkeys + MFA + Groups │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Authentication Broker Layer │
│ • Device Flow Orchestration • Token Management │
│ • SSH Key Lifecycle Mgmt • Multi-Provider Support │
│ • Audit Logging • Cloud Integration │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ PAM Integration Layer │
│ SSH • Console • GUI • Automatic Key Provisioning │
└─────────────────────────────────────────────────────────────┘
- Go 1.25 or higher
- PAM development libraries
- systemd (for service management)
sudo apt update
sudo apt install -y golang libpam0g-dev build-essential
# One-line installation
curl -sSL https://raw.githubusercontent.com/scttfrdmn/oidc-pam/main/scripts/install.sh | \
OIDC_PROVIDER="https://your-provider.com" \
OIDC_CLIENT_ID="your-client-id" \
bashsudo dnf install -y golang pam-devel gcc make
# One-line installation
curl -sSL https://raw.githubusercontent.com/scttfrdmn/oidc-pam/main/scripts/install.sh | \
OIDC_PROVIDER="https://your-provider.com" \
OIDC_CLIENT_ID="your-client-id" \
bash# /etc/oidc-auth/broker.yaml
oidc:
providers:
- name: "company"
issuer: "https://company.okta.com"
client_id: "your-client-id"
scopes: ["openid", "email", "groups"]
authentication:
token_lifetime: "8h"
require_groups: ["linux-users"]
security:
audit_enabled: trueProviders that do not expose a public /.well-known/openid-configuration endpoint (such as AWS IAM Identity Center) can use skip_discovery: true to bypass OIDC discovery and supply endpoints directly:
oidc:
providers:
- name: aws-identity-center
issuer: "https://oidc.us-east-2.amazonaws.com"
skip_discovery: true
device_endpoint: "https://oidc.us-east-2.amazonaws.com/device_authorization"
token_endpoint: "https://oidc.us-east-2.amazonaws.com/token"
userinfo_endpoint: "https://oidc.us-east-2.amazonaws.com/userInfo"
jwks_uri: "https://oidc.us-east-2.amazonaws.com/.well-known/jwks.json"
client_id: "env:OIDC_CLIENT_ID"
client_secret: "env:OIDC_CLIENT_SECRET"
scopes: [openid, email, profile]See configs/providers/aws-identity-center.yaml for a complete example.
# SSH with OIDC authentication
ssh user@server.company.com
# First-time authentication flow:
# 1. QR code displayed or device URL provided
# 2. User scans QR code or visits URL on mobile device
# 3. Authenticates with passkey (Face ID/Touch ID)
# 4. SSH key automatically provisioned
# 5. SSH session established
# Subsequent access uses cached SSH key- Installation Guide
- Configuration Reference
- OIDC Provider Setup
- Cloud Deployment
- Research Computing
- Troubleshooting
git clone https://github.com/scttfrdmn/oidc-pam.git
cd oidc-pam
# Build all components
make build
# Run tests
make test
# Install development version
sudo make install-dev# Unit tests
make test
# Integration tests
make test-integration
# End-to-end tests
make test-e2eWe welcome contributions! Please see our Contributing Guide for details.
- Basic OIDC Device Flow implementation
- Core PAM module
- SSH key lifecycle management
- Basic audit logging
- Installation scripts
- Multi-provider support
- Cloud metadata integration
- Advanced policy engine
- Comprehensive audit trails
- High availability
- Performance optimization
- Complete documentation
- Enterprise certifications
| Platform | SSH | Console | GUI | Status |
|---|---|---|---|---|
| Ubuntu 22.04+ | ✅ | ✅ | ✅ | Stable |
| Ubuntu 20.04+ | ✅ | ✅ | ✅ | Stable |
| RHEL 8+ | ✅ | ✅ | ✅ | Stable |
| CentOS 8+ | ✅ | ✅ | ✅ | Stable |
| Fedora 35+ | ✅ | ✅ | ✅ | Stable |
| Debian 11+ | ✅ | ✅ | ✅ | Beta |
- Modern Cryptography: Uses current OIDC and OAuth2 standards
- Secure Token Storage: Encrypted tokens with secure key management
- Audit Logging: Complete access trails for compliance
- Zero Trust: No implicit trust, every access verified
For security issues, please see our Security Policy.
This project is licensed under the MIT License - see the LICENSE file for details.
- The OpenID Connect specification
- The OAuth2 Device Flow RFC
- The Linux PAM project
- The research computing community for guidance and feedback
Current Status: Alpha - Under active development
This project is in early development. While functional, it's not yet recommended for production use. Please test thoroughly in non-production environments.
- Discussions: GitHub Discussions
- Issues: GitHub Issues
- Wiki: Project Wiki
Built with ❤️ for the open source community