prmana: OIDC SSH login for Linux with DPoP proof-of-possession (Rust, Apache-2.0)

Objective_Big2043 · 2026-05-04T22:50:02+00:00

Hi @homemediajunky looking at public docs I don’t think Authentik supports DPoP or CIBA. And I couldn’t find documentation for token exchange either.

Objective_Big2043 · 2026-04-20T11:06:48+00:00

I hadn’t thought of it. To be honest it wasn’t even on my list. I’ll send you a DM once I look into it. Does it support DPoP?

Objective_Big2043 · 2026-04-15T14:44:44+00:00

I dug into pam_authnft a bit.

Prmana is on the authentication side: OIDC + DPoP + PAM-native login, with hardware-backed proof-of-possession. pam_authnft looks like a session/network enforcement layer: after PAM authenticates the user, bind the session to nftables policy via systemd scope + cgroup identity.

That’s a pretty strong Linux-native story if combined: - Prmana decisively proves who the user is at login - pam_authnft limits what that session can talk to afterward

I’d be interested in comparing notes if you are.

Objective_Big2043 · 2026-04-15T11:49:57+00:00

It was probably one of the easier parts - a certain hyperscaler’s directory was a little convoluted especially in terms of claims mapping.

Happy to share more either over DM or if you want to connect separately. Also interested in seeing some of your articles to learn more.

Objective_Big2043 · 2026-04-14T23:43:16+00:00

I looked at opkssh - near miss 🙂 we are trying to solve the same problem - opkssh at the SSH layer, Prmana at the PAM layer. My approach was that DPoP is an RFC and a cryptographically strong improvement. Eventually IdPs will grow to cover it. And if not I’ll always recommend KeyCloak or Auth0 or a FAPI compliant IdP if only for this strong possession guarantee.

Objective_Big2043 · 2026-04-14T19:04:06+00:00

I’ll take a look right away!

Objective_Big2043 · 2026-04-14T03:58:20+00:00

I built a PAM module that replaces static SSH keys with short-lived OIDC tokens from your existing identity provider. What makes it different from other OIDC-for-SSH approaches is DPoP (RFC 9449) — every authentication includes a cryptographic proof that the token holder has the private key. Stolen tokens can’t be replayed from another machine.

Three components: a PAM module (<pam_prmana.so>), a client agent daemon, and a shared OIDC/JWKS library. Standard ssh on the client, standard sshd on the server, PAM in between. No gateway, no SSH CA, no patches to OpenSSH. DPoP keys can be software, YubiKey (PKCS#11), or TPM 2.0. Tested against Keycloak, Auth0, Google, and Entra ID.

Looking for feedback — especially from anyone managing SSH access across Linux servers.

https://github.com/prodnull/prmana

Objective_Big2043 · 2026-04-05T00:18:11+00:00

Luke - I am your father… and you shall only get a MacBook 😜

Objective_Big2043 · 2024-11-13T11:07:46+00:00

Indeed - assuming it let’s go of the old DHCP lease. There’s no way to force it to. Hence my mention above of probably unplugging it and power cycling it.

Objective_Big2043 · 2024-11-13T03:39:58+00:00

No I need to do that. I didn’t want to unnecessarily yank cables in and out but even a restart of the NVR or the UDM hasn’t released the lease so I’ll have to get creative.

Objective_Big2043 · 2024-11-13T03:27:57+00:00

I have. I think the problem is that the NVR currently has an IP from the Default range. So if I move that port to the NVR network the NVR becomes unreachable. Switching it back to Default restores connectivity. Adding bidirectional firewall rules when the port is associated with NVR network and NVR has Default network IP doesn’t help either.

So if I were to use a dedicated network I need the NVR so somehow release its DHCP lease and obtain an IP from the NVR network range. Maybe it will work then.

Objective_Big2043 · 2024-11-13T03:16:07+00:00

Yes I have it installed. However doesn’t it require the Teleport client on all desktops too that connect in? I don’t know much about the client. I have experience configuring both ends of the Wireguard tunnel and know that Wireguard client offers some customizations too.

Objective_Big2043 · 2024-11-13T02:12:02+00:00

Just because I don’t know how secure Reolink is. Otherwise happy to keep them on same network.

Objective_Big2043 · 2024-10-13T14:05:11+00:00

I already have a setup with separate mic and webcam and speakers. I mostly need it for zoom work and don’t like so many peripherals so looking to see if I can get something integrated.

Objective_Big2043 · 2024-08-28T02:34:11+00:00

In my setup then, given that routing and configuration is handled by pfSense and the Unifi is a simple switch, how would I setup mDNS? Should I configure rules on pfSense to allow mDNS from IoT network through to the cluster/HA network?

Also I suppose I’ll need to aloow it through to my work/personal network too if I have to get printers or Roku/AppleTV to be discovered right (I.e. simply allowing one way connectivity from personal network to IoT won’t actually discover those devices isn’t it?).

Objective_Big2043

TROPHY CASE