πŸ’»Accessing Your Remote Host

The following guide covers how to access your remote host using OpenPubkey SSH.

OpenPubkey SSH (OPK SSH) is fully compatible with existing workflows for accessing a remote host with SSH. To access your host through OPK SSH, you will first log in with the ZLI and then can ssh using your local terminal.

If you have not installed the ZLI on your local machine yet, instructions are below.

LogoInstalling the ZLIProduct Docs
Use this link to view instructions on installing the ZLI.

  1. Log in using the ZLI from your local terminal.

    zli login --opk

  2. Assuming the remote host you would like to access is already configured and tested, ensure you have removed your traditional SSH keys that allowed access to your remote host prior to OPK SSH setup. If not, see Remove Your SSH Keys for help with this.

  3. SSH to your box using ssh from your local terminal. This may look like ssh ec2-user@my-aws-host.

For dd support so the user can type in the sudoer password when we run the opk-ssh validator script on the remote server. The user indicated this can be done by adding the β€˜-t’ option to our remote ssh command invocation.

Depending on which OS you're running the ZLI on, you may see a notification when you execute zli login --opk for the first time asking to permit opk_ssh_login to accept incoming network connections. To use OPK SSH, you must click "Accept."

What Does The Login Command Do?

This login command does the following:

  • It will redirect you to a Google login page in a browser window, where you should authenticate as you would regularly when logging in to Google (username and password).

  • Once logged in, your Google ID token is used to create a PK Token.

  • This token is then used to generate an SSH certificate. The ZLI saves this certificate to a default key in your SSH directory (~/.ssh) and is used in place of traditional SSH certificates to grant SSH access to a remote host.

The SSH certificate generated by OPK SSH is only valid until your id_token expires (this is controlled by your OP - Google in this case - and is typically limited to 1 hour). When your id_token expires, OPK SSH will use your refresh token to get a new id_token and generate a new SSH certificate. Re-authentication is required when your refresh token expires.

Product feedback? Send us a note at [email protected].

PreviousManaging Personal & Collaborative AccessNextTroubleshooting

Last updated