Gallery
About
prmana replaces static SSH keys with short-lived OIDC tokens validated at the host through PAM. What makes it different from other OIDC-for-SSH approaches is DPoP (RFC 9449) — every authentication includes a cryptographic proof that the token holder has the private key. Stolen tokens can't be replayed.Three components: a PAM module (pam_prmana.so), a client agent (prmana-agent), and a shared OIDC/JWKS library (prmana-core). All Rust.DPoP keys can be software, YubiKey (PKCS#11), or TPM 2.0. No gateway, no SSH CA, no patches to sshd. Standard ssh client, standard sshd, PAM in between.Tested against Keycloak, Auth0, Google, and Entra ID.The name is from Sanskrit — pramana (प्रमाण) means "proof."
Comments (0)
No comments yet. Be the first to comment!
Related Products
ChainLens
Free multi-chain token safety scanner — 89 checks, 10 APIs, no signup.
AriaType – open-source privacy-first and local-first voice-to-text app
Kontext CLI – Credential broker for AI coding agents in Go
Deflect One – command line dashboard for managing Linux servers via SSH
Encrypted, nothing stored, nothing repeated face-gated asset sharing
AriaType – open-source privacy-first and local-first voice-to-text app