OpenPubkey SSH (OPK SSH) is fully compatible with existing workflows for accessing a remote host with SSH. To access your host through OPK SSH, you will first log in with the ZLI and then can ssh using your local terminal.

If you have not installed the ZLI on your local machine yet, instructions are below.

1. Log in using the ZLI from your local terminal.

   Copy

   zli login --opk

2. Assuming the remote host you would like to access is already configured and tested, ensure you have removed your traditional SSH keys that allowed access to your remote host prior to OPK SSH setup. If not, see Remove Your SSH Keys for help with this.

3. SSH to your box using ssh from your local terminal. This may look like ssh ec2-user@my-aws-host.

What Does The Login Command Do?

This login command does the following:

• It will redirect you to a Google login page in a browser window, where you should authenticate as you would regularly when logging in to Google (username and password).

• Once logged in, your Google ID token is used to create a PK Token.

• This token is then used to generate an SSH certificate. The ZLI saves this certificate to a default key in your SSH directory (~/.ssh) and is used in place of traditional SSH certificates to grant SSH access to a remote host.

The SSH certificate generated by OPK SSH is only valid until your id_token expires (this is controlled by your OP - Google in this case - and is typically limited to 1 hour). When your id_token expires, OPK SSH will use your refresh token to get a new id_token and generate a new SSH certificate. Re-authentication is required when your refresh token expires.

Product feedback? Send us a note at product@bastionzero.com.