Skip to content

How to configure new users for OPKSSH

Assuming both sides (server and user) already installed opkssh.

Server side

Use the script user_creation.sh just add the shortname of the user as argument:

sudo user_creation.sh <shortname>

User side

  • [ ] Create the config file: 
    # This creates: - Windows: C:\Users\<USER>\.opk\config.yml - Linux/macOS: ~/.opk/config.yml
opkssh login --create-config
  • [ ] Edit the config by replacing the current content with the following: 
    default_provider: eduid

providers:
    - alias: azure
    issuer: https://login.microsoftonline.com/d6a1cf8c-768e-4187-a738-b6e50c4deb4a/v2.0
    client_id: e9cb7d7e-39df-4e43-8cbf-ab796044132e
    scopes: openid profile email offline_access
    access_type: offline
    prompt: select_account # Use select_account if you have multiple Microsoft accounts in your browser, otherwise use 'none' (optional).
    redirect_uris:
        - http://localhost:3000/login-callback
        - http://localhost:10001/login-callback
        - http://localhost:11110/login-callback

    - alias: eduid
        issuer: https://login.eduid.ch/
        client_id: bfh_oidc_client_43155  
        scopes: openid profile email offline_access
        access_type: offline
        redirect_uris:
        - http://localhost:3000/login-callback
        - http://localhost:10001/login-callback
        - http://localhost:11110/login-callback
  • [ ] Log in using: opkssh login -i path/to/ssh_folder/bfh_opkssh_access. This will open the browser in order to do the authentication. Log in with BFH account.

  • [ ] If user was already added and created in the server, connect to it with: ssh -o "IdentitiesOnly=yes" -i path/to/bfh_opkssh_access <user>@<server> (path to private key not public). Based on the docs when creating custom keys: 'We recommend specifying -o "IdentitiesOnly=yes" as it tells ssh to only use the provided key. Otherwise ssh will cycle through other keys in ~/.ssh first and may not get to the specified ones. Servers are configured to only allow 6 attempts by default the config key is MaxAuthTries 6.'`

  • [ ] Tell the user that he has to execute opkssh login -i path/to/ssh_folder/bfh_opkssh_access if he hasn't log in in more than 24h. (each generated key expires every 24h)

Custom key name recommendation: bfh_opkssh_access