OIDC SSH login for Linux, without the gateway
Replace static SSH keys with short-lived IdP-issued tokens, validated directly at the host through PAM, without requiring a gateway or SSH certificate authority.
Why? • How It Works • Quick Start • Documentation • Contributing
SSH keys get copied, shared, and never rotated. When someone leaves, finding all their access is archaeology. Enterprise MFA stops at the browser — you need it for email but not for root on production.
prmana bridges this gap by bringing OIDC (the same protocol behind "Sign in with Google/Microsoft/Okta") to Linux PAM, with DPoP token binding to prevent token theft.
- Kill static SSH keys without forcing a full access platform rollout
- Keep direct-to-host SSH instead of routing everything through a proxy
- Reuse your existing IdP (Keycloak, Okta, Azure AD, Auth0, Google) for Linux login
- Get proof-of-possession with DPoP — not just bearer-token login
- Stay Linux-native with PAM at the host boundary
- Start small on a few hosts before deciding whether you need more
Most alternatives fall into one of three buckets:
- Access platforms that introduce a proxy, gateway, or managed control plane
- SSH certificate systems that add a CA and cert lifecycle layer
- Simpler PAM/OIDC modules that provide SSO but not strong proof-of-possession
prmana takes a different path: OIDC-backed login directly at the Linux host, with DPoP-bound authentication for stronger token handling. No gateway. No SSH CA. No static keys.
prmana is not a session recording platform, a universal infrastructure access proxy, or a full privileged-access management suite. It is a focused tool for SSH login.
User's Machine Linux Server
┌─────────────────────┐ ┌─────────────────────┐
│ prmana-agent │ SSH │ sshd │
│ ┌───────────────┐ │ ──────────────▶ │ ┌───────────────┐ │
│ │ OIDC token │ │ │ │ PAM module │ │
│ │ + DPoP proof │ │ │ │ (pam_prmana) │ │
│ └───────────────┘ │ │ └───────────────┘ │
└─────────────────────┘ └─────────────────────┘
│ │
▼ ▼
┌─────────────────────┐ ┌─────────────────────┐
│ Identity Provider │ │ Token validation │
│ (Keycloak/Okta/ │ │ + DPoP verify │
│ Azure AD/Auth0) │ │ + JWKS cache │
└─────────────────────┘ └─────────────────────┘
prmana-agenton the user's machine acquires an OIDC token from your IdP (device flow or auth code + PKCE)- The agent generates a DPoP proof binding the token to an ephemeral key pair
- On SSH connection, the server's PAM module validates the token signature, issuer, audience, expiration, and DPoP binding
- If validation passes and the username maps to a local account (via SSSD), authentication succeeds
| Component | Purpose |
|---|---|
prmana-core |
Shared OIDC discovery and JWKS primitives |
pam-prmana |
PAM module — token validation, DPoP verification, break-glass |
prmana-agent |
Client-side agent — token acquisition, DPoP proof generation |
DPoP proofs can be bound to hardware security keys for stronger assurance:
- Software signer — ephemeral P-256 key pair (default)
- YubiKey — PKCS#11 via
--features yubikey - TPM 2.0 — platform TPM via
--features tpm(Linux)
- A Linux server with OpenSSH and PAM
- An OIDC identity provider (Keycloak, Okta, Azure AD, Auth0, Google)
- Rust toolchain for building from source
cargo build --workspace# Install the PAM module
sudo cp target/release/libpam_prmana.so /lib/security/pam_prmana.so
# Install the agent
cp target/release/prmana-agent ~/.local/bin/
# Configure
sudo cp examples/policy.yaml /etc/prmana/policy.yaml
# Edit policy.yaml with your issuer URL and client ID# On the client machine
prmana-agent login
# Then SSH normally
ssh user@serverSee the installation guide for detailed setup including IdP configuration, SSSD integration, and break-glass access.
| Guide | Description |
|---|---|
| Installation | Full setup guide |
| PAM Integration | PAM module configuration |
| Security Guide | Hardening and threat model |
| Hardware Key Setup | YubiKey and TPM configuration |
| Break-Glass | Emergency access procedures |
| Keycloak Reference | Keycloak DPoP setup |
| Entra ID Setup | Azure Entra ID configuration |
| Community Testing | Testing on various platforms |
Design decisions are documented in docs/adr/.
See CONTRIBUTING.md for development setup and guidelines.
# Run tests
cargo test --workspace
# Lint
cargo clippy --workspace -- -D warnings
# Format
cargo fmt --allWe'd love your feedback — questions, ideas, bug reports, or just sharing how you're using prmana.
- GitHub Discussions — ask questions, share ideas
- Issues — bug reports and feature requests
See SECURITY.md for vulnerability reporting.
Important: Always configure break-glass access before deploying to production. Getting locked out of servers because your IdP is down is a catastrophic failure mode.
Pramana (Sanskrit: प्रमाण, pramāṇa) means "proof" and "means of knowledge" — the classical Indian epistemological framework for how you know something is true. The six pramanas are the valid means by which accurate knowledge is acquired: direct perception, inference, testimony, comparison, postulation, and proof by absence.
For this project, the connection is literal: DPoP is a pramana — cryptographic proof-of-possession, not just a bearer token asserting identity.
Apache-2.0. See LICENSE.