Show HN: Prmana – OIDC SSH Login for Linux with DPoP (Rust, Apache 2.0) https://ift.tt/h5bQpuD

Show HN: Prmana – OIDC SSH Login for Linux with DPoP (Rust, Apache 2.0) prmana replaces static SSH keys with short-lived OIDC tokens validated at the host through PAM. What makes it different from other OIDC-for-SSH approaches is DPoP (RFC 9449) — every authentication includes a cryptographic proof that the token holder has the private key. Stolen tokens can't be replayed. Three components: a PAM module (pam_prmana.so), a client agent (prmana-agent), and a shared OIDC/JWKS library (prmana-core). All Rust. DPoP keys can be software, YubiKey (PKCS#11), or TPM 2.0. No gateway, no SSH CA, no patches to sshd. Standard ssh client, standard sshd, PAM in between. Tested against Keycloak, Auth0, Google, and Entra ID. The name is from Sanskrit — pramana (प्रमाण) means "proof." https://ift.tt/8Lhj5BI April 13, 2026 at 11:51PM