A thin shim that transparently wires opkssh
into your normal ssh workflow. Alias it as ssh and forget it's there — the
wrapper silently ensures your ephemeral OpenPubKey identity is fresh before
every connection, then hands all arguments through to the real ssh unchanged.
When you run ssh user@host:
- The wrapper checks whether a valid, non-expired opkssh ephemeral key exists.
- If the key is missing or expired, it calls
opkssh login(opens a browser for OIDC authentication). - It prepends
-o IdentitiesOnly=yes -i <key_path>to your arguments. - It
execs the realsshbinary with your original arguments intact.
Your SSH experience is unchanged. Every flag, host pattern, and ~/.ssh/config
option continues to work exactly as before.
Use it exactly like ssh:
ssh user@host
ssh -p 2222 -A user@host
ssh -J bastion user@internal
git push origin main # works transparently via GIT_SSH / core.sshCommand
rsync -avz src/ user@host:dst/If your key has expired and a terminal is available, you will be prompted to
authenticate. In non-interactive contexts (CI, rsync, git) the wrapper
exits with an error and tells you to run opkssh login first.
- Python 3.10 or later
opksshinstalled and on$PATH
pipx (recommended — keeps the tool isolated):
pipx install opkssh-wrapperpip (system or virtual environment):
pip install opkssh-wrapperStandalone binary (no Python required at runtime):
Pre-built binaries may be available on the
Releases page. Download, mark executable, and place on your
$PATH:
chmod +x opkssh-wrapper
mv opkssh-wrapper ~/.local/bin/The preferred way to use opkssh-wrapper is to alias ssh to it so that every
SSH invocation goes through the wrapper automatically.
Choose the section for your shell below. Add the shown snippet to your shell's
startup file, then open a new terminal (or source the file) to activate it.
Add to ~/.bashrc:
alias ssh='opkssh-wrapper'
# Keep tab-completion working on the alias.
# bash-completion defines _ssh; redirect that spec to cover the alias name too.
if declare -F _ssh > /dev/null 2>&1; then
complete -F _ssh ssh
fiNote: The
completeline above re-binds the_sshcompletion function to the alias. If bash-completion loads_sshlazily (common in many distributions), this line is a no-op on the first shell start but will take effect once_sshhas been loaded for the first time. To force it reliably, load the ssh completion before thecompletecall:alias ssh='opkssh-wrapper' # Eagerly load ssh completions, then apply to the alias _completion_loader ssh 2>/dev/null || true if declare -F _ssh > /dev/null 2>&1; then complete -F _ssh ssh fi
Add to ~/.zshrc:
alias ssh='opkssh-wrapper'
# Tell zsh to use ssh's completion spec for the alias.
# This must appear after compinit has run.
compdef opkssh-wrapper=sshIf you use a framework such as Oh My Zsh or Prezto, place these lines
after the framework is sourced (e.g. after source $ZSH/oh-my-zsh.sh).
Add to ~/.config/fish/config.fish:
alias ssh 'opkssh-wrapper'Then create a completions file so that typing ssh <Tab> delegates to fish's
built-in SSH completions:
mkdir -p ~/.config/fish/completions
cat > ~/.config/fish/completions/opkssh-wrapper.fish <<'EOF'
# Reuse all SSH completions for opkssh-wrapper
complete -c opkssh-wrapper -w ssh
EOFBecause the fish alias command creates a shell function named ssh, fish
will automatically use existing ssh completions when you type ssh <Tab>.
The completions file above additionally provides completions when you invoke
opkssh-wrapper directly.
To persist the alias across sessions:
funcsave sshCreate ~/.config/opkssh-wrapper/config.toml to override defaults:
# Path to the opkssh binary (default: "opkssh", resolved via $PATH)
opkssh_path = "opkssh"
# Path to the real ssh binary (default: auto-detected, skipping the shim)
# ssh_path = "/usr/bin/ssh"
# Path to the ephemeral private key written by opkssh (default: ~/.ssh/id_ecdsa)
key_path = "~/.ssh/id_ecdsa"
# How many hours a freshly-issued key is considered valid (default: 24)
key_ttl_hours = 24
# Seconds to wait for the key file to appear on disk after login (default: 10)
key_wait_timeout = 10
# Seconds before opkssh login is forcibly killed (default: 120)
login_timeout = 120
# If true, attempt browser login even in non-interactive contexts (default: false)
aggressive_login = false