Main feature of this release is the ability to specify remote redirect URIs. This helps with integrating opkssh with other tools such as termix. Most users of opkssh should not be using this flag and can skip this update.

🚀 Features

• Remote Redirect URIs Support (termix) @EthanHeilman (#456)

Main feature of this release is the audit command, which allows you to check server side configurations. Read the docs here: https://github.com/openpubkey/opkssh/blob/main/docs/audit.md

Changes

• docs: warn that azure alias URI hardcodes the tenant ID @TheToddLuci0 (#446)
• docs: Add Keycloak docs @sylvain-vq (#442)

🚀 Features

• feat: Audit command @Basti-Fantasti (#396)

🐛 Bug Fixes

• Update hack.sh to use user ids as user ids, not group ids as user ids @TheToddLuci0 (#447)
• Fix openssh version detection bug @EthanHeilman (#444)
• fix(deps): Update Docker @renovate[bot] (#450)
• fix(deps): Update actions/setup-go action to v6.2.0 @renovate[bot] (#449)

🚀 Features

• Add support for custom group claims @mvanderlee (#133)
• feat: Flag to print SSH cert and private key rather than FS @EthanHeilman (#437)
• feat: Process extra arguments to the verify command @justincmoy (#436)
• Add warning message when email claim is missing from ID token @copilot-swe-agent[bot] (#374)
• [feat] Add new "inspect" subcommand @stmcginnis (#349)
• Add CLI reference documentation @stmcginnis (#365)
• Include signature JSON in inspect output @stmcginnis (#358)
• • docs: Add Amazon Cognito as tested provider @Foorack (#414)
• docs: Add documentation for opkssh and sssd integration @vigneshmanick (#409)
• Added SELinux support for sudo logging @descensus (#376)
• Update CLI documentation @github-actions[bot] (#368)

🐛 Bug Fixes

• Fix race condition in ReadHome @gcorrall (#391)
• [fix] Use lowercase for positional argument placeholders @t38miwa (#361)
• fix typo in commands/verify.go @DevRockstarZ (#336)
• Doc: fix small errors in policy plugin doc @PotatoesMaster (#344)
• Correct macOS name @stmcginnis (#341)

🧰 Maintenance

• chore: document upstream nix usage & remove nix flake @datosh (#383)
• Update CLI documentation @github-actions[bot] (#438)
• Stop hash pinning docker images @EthanHeilman (#421)
• [fix] Fix ssh version integration test @EthanHeilman (#362)
• Fix integration tests failing due to pacman keys @EthanHeilman (#432)
• fix(deps): Update docker/setup-buildx-action action to v3.12.0 @renovate[bot] (#426)
• fix(deps): Update zizmorcore/zizmor-action action to v0.3.0 @renovate[bot] (#413)
• fix(deps): Update peter-evans/create-pull-request action to v8 @renovate[bot] (#418)
• fix(deps): Update zizmorcore/zizmor-action action to v0.2.0 @renovate[bot] (#335)
• fix(deps): Update peter-evans/create-pull-request action to v7.0.9 @renovate[bot] (#407)

Changes

• Merge SELinux Type Enforcement Files. @SweBarre (#332)
• Feature/provider command @aaron-riact (#307)
• Fixes typo in linux install script and docs (regression) @SweBarre (#320)

🐛 Bug Fixes

• fix(deps): Update Docker @renovate[bot] (#330)
• fix(deps): Update actions/setup-go action to v6 @renovate[bot] (#329)
• fix(deps): Update Docker @renovate[bot] (#322)
• fix: Fixes build since /var/run/sshd already created @EthanHeilman (#325)
• fix: Fixes URL in get_te_download_path @SweBarre (#324)
• fix(deps): Update actions/checkout action to v5 @renovate[bot] (#306)
• fix(deps): Update zizmorcore/zizmor-action action to v0.1.2 @renovate[bot] (#308)
• fix(deps): Update Docker @renovate[bot] (#321)

🧰 Maintenance

• fix(deps): Update Docker @renovate[bot] (#330)
• fix(deps): Update Docker @renovate[bot] (#322)

Changes

• Improve docs command package @gppmad (#303)
• docs: Better description of policy being additive @EthanHeilman (#288)
• Add description for OPKSSH command-line tool @gppmad (#284)

🚀 Features

• Create user deny list @EthanHeilman (#316)
• Add --key-type/-t flag to the login command to control what type of SSH key is generated @Hidoni (#300)
• Separate Type Enforcement files from install script @SweBarre (#276)
• Wildcard support for all users at a given domain @aaron-riact (#291)

🐛 Bug Fixes

• Use smaller constants for 32-bit archs (#314) @jas4711 (#315)
• fixes a typo in the install linux documentation @kayiwa (#304)

🧰 Maintenance

• fix(deps): Update goreleaser/goreleaser-action action to v6.4.0 @renovate[bot] (#312)
• fix(deps): Update Docker @renovate[bot] (#302)
• fix(deps): Update actions/checkout action to v4.3.0 @renovate[bot] (#305)
• fix(deps): Update Docker @renovate[bot] (#301)
• fix(deps): Update Docker @renovate[bot] (#299)
• fix(deps): Update Docker @renovate[bot] (#298)
• fix(deps): Update Docker @renovate[bot] (#297)
• fix(deps): Update Docker @renovate[bot] (#296)
• fix(deps): Update Docker @renovate[bot] (#294)
• fix(deps): Update Docker @renovate[bot] (#290)
• fix(deps): Update Docker @renovate[bot] (#287)
• fix(deps): Update Docker @renovate[bot] (#285)
• fix(deps): Update Docker @renovate[bot] (#283)
• fix(deps): Update quay.io/archlinux/archlinux:latest Docker digest to 3bd6dfb @renovate[bot] (#282)
• fix(deps): Update Docker @renovate[bot] (#279)
• fix(deps): Update opensuse/tumbleweed:latest Docker digest to ebf7f5c @renovate[bot] (#277)
• fix(deps): Update golang.org/x/exp digest to 542afb5 @renovate[bot] (#274)
• fix(deps): Update Docker @renovate[bot] (#275)
• Bump github.com/docker/docker from 28.2.2+incompatible to 28.3.3+incompatible @dependabot[bot] (#295)
• fix(deps): Update Docker @renovate[bot] (#302)
• fix(deps): Update Docker @renovate[bot] (#301)
• fix(deps): Update Docker @renovate[bot] (#298)
• fix(deps): Update Docker @renovate[bot] (#297)
• fix(deps): Update Docker @renovate[bot] (#296)
• fix(deps): Update Docker @renovate[bot] (#294)
• fix(deps): Update Docker @renovate[bot] (#290)
• fix(deps): Update Docker @renovate[bot] (#287)
• fix(deps): Update Docker @renovate[bot] (#283)
• fix(deps): Update quay.io/archlinux/archlinux:latest Docker digest to 3bd6dfb @renovate[bot] (#282)
• fix(deps): Update opensuse/tumbleweed:latest Docker digest to ebf7f5c @renovate[bot] (#277)
• fix(deps): Update Docker @renovate[bot] (#275)

Changes

• Add azure config doc @EthanHeilman (#243)
• Add test for piping install script to bash @SweBarre (#241)
• Unittests for the install script @SweBarre (#204)

🚀 Features

• Feat: Add 12h expiration policy @bmodotdev (#235)
• Write the certificate where OpenSSH will find it @syskill (#224)
• Improve checkOpenSSHVersion function @gppmad (#238)
• Move opkssh key files to a separate location @net42-jkeil (#122)

🐛 Bug Fixes

• Fix: silence error when plugin policy dir missing @bmodotdev (#236)
• Fixes some spelling errors @SweBarre (#228)
• Fix issue in go upgrades @datosh (#221)
• Docs: fix formatting of Azure docs @boosterl (#269)
• Add troubleshooting note for azure for prompt: none @EthanHeilman (#254)

🧰 Maintenance

• ci: add zizmor action so that action security will be tracked @datosh (#246)
• ci: configure dependabot for go and github action updates, fixes #207 @shyim (#217)
• ci: fix zizmor findings @datosh (#247)
• Migrate from dependabot to renovate @datosh (#255)
• Migrate golangcilint @datosh (#233)
• Update linter to v2.0.2 @EthanHeilman (#230)
• fix(deps): Update quay.io/archlinux/archlinux:latest Docker digest to 00ce22d @renovate[bot] (#273)
• fix(deps): Update opensuse/tumbleweed:latest Docker digest to c0a0dad @renovate[bot] (#271)
• fix(deps): Update module github.com/testcontainers/testcontainers-go to v0.38.0 @renovate[bot] (#266)
• fix(deps): Update opensuse/tumbleweed:latest Docker digest to 315d1af @renovate[bot] (#267)
• fix(deps): Update Docker @renovate[bot] (#262)
• fix(deps): Update quay.io/archlinux/archlinux:latest Docker digest to 00ce22d @renovate[bot] (#273)
• fix(deps): Update opensuse/tumbleweed:latest Docker digest to c0a0dad @renovate[bot] (#271)
• fix(deps): Update module github.com/zitadel/oidc/v3 to v3.41.0 @renovate[bot] (#270)
• fix(deps): Update Docker @renovate[bot] (#268)
• fix(deps): Update module github.com/testcontainers/testcontainers-go to v0.38.0 @renovate[bot] (#266)
• fix(deps): Update opensuse/tumbleweed:latest Docker digest to 315d1af @renovate[bot] (#267)
• fix(deps): Update DeterminateSystems/update-flake-lock action to v27 @renovate[bot] (#265)
• fix(deps): Update DeterminateSystems/nix-installer-action action to v19 @renovate[bot] (#264)
• fix(deps): Update DeterminateSystems/flake-checker-action action to v12 @renovate[bot] (#263)
• fix(deps): Update Docker @renovate[bot] (#262)
• fix(deps): Update Go @renovate[bot] (#257)
• fix(deps): Update golangci/golangci-lint-action action to v8 @renovate[bot] (#260)
• fix(deps): Update Docker @renovate[bot] (#259)
• fix(deps): Update Docker @renovate[bot] (#256)
• Fix auth_id uniqueness bug @EthanHeilman (#251)
• fix(deps): bump github.com/zitadel/oidc/v3 from 3.39.0 to 3.39.1 in the all group @dependabot[bot] (#248)
• fix(deps): bump the all group with 3 updates @dependabot[bot] (#249)
• fix(deps): bump github.com/go-chi/chi/v5 from 5.2.1 to 5.2.2 @dependabot[bot] (#244)
• fix(deps): bump ncruces/go-coverage-report from 0.3.0 to 0.3.1 in the all group @dependabot[bot] (#239)
• Fix bug in install script @EthanHeilman (#237)
• fix(deps): bump the all group with 2 updates @dependabot[bot] (#223)
• fix(deps): bump docker/setup-buildx-action from 3.10.0 to 3.11.1 in the all group @dependabot[bot] (#232)
• fix(deps): bump the all group across 1 directory with 4 updates @dependabot[bot] (#222)

Changes

• fix: only make GitHub provider available in GitHub environments @datosh (#210)
• Harden gh actions @datosh (#198)
• Cleans up TODOs on unneeded logging statement @EthanHeilman (#195)
• Adds Chocolatey install to Readme (#82). @fdcastel (#194)
• Define a Nix overlay and module @javbit (#186)
• Find opkssh binary path dynamically @k0da (#177)
• Add more Nix CI checks & documentation @javbit (#180)
• Documents how to use PuTTY with opkssh @EthanHeilman (#179)
• Add Nix Flake to build opkssh @javbit (#178)
• Document configuration for Gitlab selfhosted @matijse (#175)

🚀 Features

• Userinfo claims support via an Access token in the ssh cert @EthanHeilman (#183)
• GHA based login @datosh (#187)
• Honor the INSTALL_DIR Variable and openSUSE/SLES support @SweBarre (#197)
• Creates server config.yml to set env variables @EthanHeilman (#189)
• Creates policy plugin system (env vars) @EthanHeilman (#181)

🐛 Bug Fixes

• fix: read send_access_token when parsing config @datosh (#215)
• Fix broken link in readme @EthanHeilman (#205)
• Fixes missing backticks on code block @SweBarre (#203)
• Add hello provider @gdm257 (#202)
• Fix typo in README @EthanHeilman (#190)

🧰 Maintenance

• Fix broken link in readme @EthanHeilman (#205)
• Cleans up more info in the README @EthanHeilman (#196)
• Moves off of bastionzero oidc fork @EthanHeilman (#193)
• Sets permissions for directories we create on install @EthanHeilman (#192)
• Fix typo in README @EthanHeilman (#190)
• docs: Clarify point in policy plugin docs @EthanHeilman (#185)

Changes

• bugfix: use scopes from client config @datosh (#174)
• Kanidm integration guide @datosh (#172)

Changes

• Corrected Windows config filepath @L-Wehmschulte (#168)
• Use shellquote for parsing policy::Table @markafarrell (#158)
• Improve integration test runtime @datosh (#150)
• Bump golang.org/x/net from 0.36.0 to 0.38.0 @dependabot[bot] (#145)
• docs: consistent arguments docs for login provider @datosh (#141)
• Issue-134: Add documentation for using custom keys @mvanderlee (#140)

🚀 Features

• Add build instructions @markafarrell (#163)
• Switch to using standardOp customer providers @EthanHeilman (#155)
• Creates yaml client config @EthanHeilman (#143)

🐛 Bug Fixes

• bug: Fixes release drafter @EthanHeilman (#139)

🧰 Maintenance

• Adds link to openpubkey mailing list @EthanHeilman (#148)
• doc:Add scopes example to readme @EthanHeilman (#147)

What's Changed

• Fixing go-releaser by @EthanHeilman in #137