What is OpenAKC?<\/h2>\n
OpenAKC is an open-source authentication gateway, dynamic SSH key manager, and privileged access management tool for Linux. It completely rethinks how SSH trust is managed across an estate.<\/p>\n
As a centralised trust management platform,<\/strong> OpenAKC allows the As a practical jump host solution,<\/strong> OpenAKC replaces the dubious mechanisms many of us have seen in production: shared private keys, dodgy sudo wrappers, and insecure AD-to-SSH bridges. It acts as a drop-in upgrade by migrating users to personal keys with self-service key management, enforcing passphrases, and providing full audit trails.<\/p>\n <\/p>\n \u2705 OpenAKC solves all of these. This architecture takes a few steps to understand, but from a security standpoint it trumps anything most organisations are currently running.<\/p>\n <\/p>\n OpenAKC supports two deployment architectures depending on the size of your team and estate. Both can be scaled out for redundancy.<\/p>\n OpenAKC Architecture Overview (source: netlore.github.io\/OpenAKC<\/a>)<\/p>\n<\/div>\n <\/p>\n Jump Host + Security Server on one box<\/p>\n<\/div>\n Best for:<\/strong> Small teams where the admin team also manages security.<\/p>\n Single point of management with role rules and diagnostics all in one place. Only a couple of client packages to deploy and clients are brought into trust immediately. In today’s evolving threat landscape, the ability to control what even root can do is no longer optional. Military and financial environments demand this level of granular access control, and this architecture delivers it with minimal overhead.<\/p>\n<\/div>\n<\/div>\n<\/div>\n <\/p>\n Separate Jump Hosts + Security Server<\/p>\n<\/div>\n Best for:<\/strong> Large teams with multiple groups and tighter security requirements.<\/p>\n Security server and jump hosts are fully separated, meaning client machines are never joined to the domain. Attackers who compromise a client machine cannot query AD for users, groups, or any organisational structure. Jump hosts are disposable and easily redeployed. For military and financial institutions where root capability control, full session audit trails, and zero-trust principles are regulatory requirements, this segregated model is the gold standard.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n <\/p>\n <\/p>\n This walkthrough covers the segregated architecture<\/strong> (separate jump host and security server). We are deploying on CentOS 7.<\/p>\n \u26a0\ufe0f Prerequisites:<\/strong> Two CentOS 7 machines deployed. Active Directory configured with a user in a Linux group. Disable \u26a0\ufe0f The original repo source code does not support newer OS’s. I have updated all the code to work with newer versions and written automations to deploy it for any environment<\/strong><\/p>\n<\/div>\n <\/p>\n Join to AD, install OpenAKC server, register your admin key<\/p>\n<\/div>\n <\/p>\n Edit <\/p>\n The realm name is case sensitive<\/strong>.<\/p>\n Tip:<\/strong> You can set <\/p>\n <\/p>\n <\/p>\n Switch to your user account, generate an RSA key pair, and register it with OpenAKC.<\/p>\n <\/p>\n Define who can access what, when, and how. This is where OpenAKC really shines.<\/p>\n Add role blocks like these:<\/p>\n <\/p>\n Key Insight:<\/strong> The <\/p>\n <\/p>\n Join to AD, install OpenAKC tools, point at security server<\/p>\n<\/div>\n Note:<\/strong> Join this server to the domain first using the same steps from Phase 1 (Steps 1-4), then continue from here.<\/p>\n<\/div>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n \u2705 Success!<\/strong> If you see the Pong response, your jump host is talking to the security server correctly.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n <\/p>\n The easiest part. Add any machine to the estate in minutes.<\/p>\n<\/div>\n This is where it gets beautiful. Got a bunch of legacy systems? Want centralised login without joining them to the domain? Want every root session tracked with keystroke logging? Here’s all you do.<\/p>\n <\/p>\n \u26a0\ufe0f Important:<\/strong> The client package is called <\/p>\nauthorized_keys<\/code> mechanism on hosts to be completely disabled. SSH trust across your entire estate can be managed centrally by systems administration or information security staff, with rich control and monitoring features. Users and application developers can no longer add or remove trust relationships on their own, effectively enforcing any whitelist or approval process you want.<\/p>\n\ud83e\udd14 The Problems Everyone Thinks About But Never Solves<\/h3>\n
\n
Architecture Options<\/h2>\n
![\"OpenAKC](\"https:\/\/mail.fsck.co.uk\/assets\/OpenAKC_Home.png\")
<\/p>\n\ud83c\udfe0 Combined Architecture<\/h3>\n
![\"Combined](\"https:\/\/nicktailor.com\/tech-blog\/wp-content\/uploads\/2026\/02\/openakc-combined-diagram.jpg\")
<\/div>\n\ud83c\udfe2 Segregated Architecture<\/h3>\n
![\"Separate](\"https:\/\/raw.githubusercontent.com\/netlore\/OpenAKC\/master\/docs\/resources\/OpenAKC%20Separate%20Bastion%20Host%20%26%20Security%20Server%20Diagram.svg\")
<\/p>\n\u2728 Special Features<\/h3>\n
Practical Deployment Guide<\/h2>\n
firewalld<\/code> and selinux<\/code> on your machines before proceeding.<\/p>\nPhase 1 \u2014 Security Server Setup<\/h3>\n
Install AD\/Kerberos Packages<\/h4>\n
yum install oddjob realmd samba samba-common oddjob-mkhomedir sssd adcli<\/code><\/pre>\n<\/div>\n<\/div>\nPoint DNS at Active Directory<\/h4>\n
\/etc\/resolv.conf<\/code> to include your AD server as a nameserver so it can resolve the necessary DNS records.<\/p>\nvi \/etc\/resolv.conf\n\nnameserver 192.168.1.300\nnameserver 192.168.1.301<\/code><\/pre>\n<\/div>\n<\/div>\nDiscover and Join the Realm<\/h4>\n
# Discover the realm\nrealm discover AD.NICKTAILOR.COM\n\n# Join the domain (enter AD admin password when prompted)\nrealm join --user=admin ad.nicktailor.com\n\n# Verify it worked\nid nicktailor@ad.nicktailor.com<\/code><\/pre>\nuse_fully_qualified_names = False<\/code> in \/etc\/sssd\/sssd.conf<\/code> so you don’t need @ad.nicktailor.com<\/code> when running id<\/code>.<\/p>\n<\/div>\n<\/div>\n<\/div>\nAdd User to Sudo<\/h4>\n
usermod -aG wheel nicktailor<\/code><\/pre>\n<\/div>\n<\/div>\nInstall OpenAKC Server<\/h4>\n
# Add the OpenAKC repository\ncurl https:\/\/netlore.github.io\/OpenAKC\/repos\/openakc-el7.repo \\\n | sudo tee \/etc\/yum.repos.d\/openakc.repo\n\n# Install the server package\nyum install openakc-server<\/code><\/pre>\n<\/div>\n<\/div>\nGenerate and Register Your SSH Key<\/h4>\n
# Switch to your user\nsu nicktailor\n\n# Generate SSH keys (use a passphrase!)\nssh-keygen -t rsa\n\n# Register the key with OpenAKC\nopenakc register\n\n# Verify the public key was created\nls -al \/home\/nicktailor\/.openakc\/\n\n# Copy the key to the security server's key store (may need root)\ncp \/home\/nicktailor\/.openakc\/openakc-user-client-nicktailor--pubkey.pem \\\n \/var\/lib\/openakc\/keys\/<\/code><\/pre>\n\ud83d\udccb Example Output (click to expand)<\/summary>\n
[nicktailor@security1 ~]$ ssh-keygen -t rsa\nGenerating public\/private rsa key pair.\nEnter file in which to save the key (\/home\/nicktailor\/.ssh\/id_rsa):\nEnter passphrase (empty for no passphrase):\nEnter same passphrase again:\nYour identification has been saved in \/home\/nicktailor\/.ssh\/id_rsa.\nYour public key has been saved in \/home\/nicktailor\/.ssh\/id_rsa.pub.\nThe key fingerprint is:\nSHA256:udhNKEp0txzfup7IxhUwNA+VSviWP1mu\/aKPA5vZb3w nicktailor@security1\n\n[nicktailor@security1 ~]$ openakc register\nOpenAKC Copyright (C) 2019-2020 A. James Lewis. Version is 1.0.0~alpha18\n\nPassphrase is requested to ensure you own this key.\nEnter passphrase:\nEscalating to perform API call\nConnected to OpenAKC server. Sending key registration request\nOK: Request processed<\/code><\/pre>\n<\/details>\n<\/div>\n<\/div>\nCreate Access Roles<\/h4>\n
# Edit the default root role\nopenakc editrole root@DEFAULT<\/code><\/pre>\n## Per-user rule<\/span>\nRULE=2020\/01\/13 19:17,2030\/01\/13 20:17,user,nicktailor\nDAY=any\nTIM=any\nSHELL=\/bin\/bash\nCMD=any\nSCP=s,^\/,\/data\/,g\nCAP=cap_linux_immutable\nREC=yes\nFROM=any\n\n## Group-based rule (for all linuxusers)<\/span>\nRULE=2020\/01\/13 19:17,2030\/01\/13 20:17,group,linuxusers\nDAY=any\nTIM=any\nSHELL=\/bin\/bash\nCMD=any\nSCP=s,^\/,\/data\/,g\nCAP=cap_linux_immutable\nREC=yes\nFROM=any<\/code><\/pre>\n\n\n
\n \nField<\/th>\n Description<\/th>\n<\/tr>\n<\/thead>\n \n RULE<\/td>\n Date range, type (user\/group), and identity<\/td>\n<\/tr>\n \n DAY<\/td>\n Restrict access to specific days (or any<\/code>)<\/td>\n<\/tr>\n\n TIM<\/td>\n Restrict access to specific times (or any<\/code>)<\/td>\n<\/tr>\n\n SHELL<\/td>\n Override the user’s shell on login<\/td>\n<\/tr>\n \n CMD<\/td>\n Whitelist specific commands (or any<\/code>)<\/td>\n<\/tr>\n\n CAP<\/td>\n Drop Linux capabilities (e.g. block immutable file edits even for root)<\/td>\n<\/tr>\n \n REC<\/td>\n Enable session recording ( yes<\/code>\/no<\/code>)<\/td>\n<\/tr>\n\n FROM<\/td>\n Restrict source IP\/hostname (or any<\/code>)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\nCAP=cap_linux_immutable<\/code> setting strips root’s ability to modify files with the immutable flag. This is just one of many Linux capabilities you can revoke. Your root users literally cannot change protected files, even as root.<\/p>\n<\/div>\n<\/div>\n<\/div>\nCopy Your Key to the Jump Host<\/h4>\n
ssh-copy-id -i ~\/.ssh\/id_rsa.pub root@192.168.1.200<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\nPhase 2 \u2014 Jump Host Setup<\/h3>\n
Install OpenAKC Tools<\/h4>\n
# Add the repository\ncurl https:\/\/netlore.github.io\/OpenAKC\/repos\/openakc-el7.repo \\\n | sudo tee \/etc\/yum.repos.d\/openakc.repo\n\n# Install the tools package (NOT openakc-server)\nyum install openakc-tools<\/code><\/pre>\n<\/div>\n<\/div>\nConfigure the Security Server Connection<\/h4>\n
vi \/etc\/openakc\/openakc.conf\n\nAPIS=\"securityakc1.nicktailor.com\"\nPORT=\"889\"<\/code><\/pre>\n<\/div>\n<\/div>\nLogin as Your User and Copy Key<\/h4>\n
# Switch to your user (lets SSSD create the home directory)\nsu nicktailor\n\n# Copy your key from the security server\nssh-copy-id -i ~\/.ssh\/id_rsa.pub root@192.168.1.200<\/code><\/pre>\n<\/div>\n<\/div>\nVerify Connectivity<\/h4>\n
[nicktailor@jumphost1 ~]$ openakc ping\nOpenAKC Copyright (C) 2019-2020 A. James Lewis. Version is 1.0.0~alpha18\n\nConnected to OpenAKC server. Sending Test Run Ping Message\nTest Run Response - OK: Pong! - from server - securityakc1.nicktailor.com<\/code><\/pre>\nPhase 3 \u2014 Client Machine Setup<\/h3>\n
Install OpenAKC Client<\/h4>\n
openakc<\/code> (not openakc-server<\/code> or openakc-tools<\/code>). If you install the wrong one it’s painful to clean up!<\/p>\n<\/div>\n# Add the repo\ncurl https:\/\/netlore.github.io\/OpenAKC\/repos\/openakc-el7.repo \\\n | sudo tee \/etc\/yum.repos.d\/openakc.repo\n\n# Install the CLIENT package\nyum install openakc<\/code><\/pre>\n<\/div>\n<\/div>\nConfigure the Client<\/h4>\n
vi \/etc\/openakc\/openakc.conf\n\nAPIS=\"192.168.1.200\"\nENABLED=\"yes\"\nPORT=\"889\"\nCACHETIME=\"60\"\nDEBUG=\"no\"\nPERMITROOT=\"yes\"\nAUDIT=\"yes\"\nQUIZ=\"no\"\nHIDE=\"restrict\"\nFAKESUDO=\"yes\"<\/code><\/pre>\n
![\"OpenAKC](\"https:\/\/raw.githubusercontent.com\/netlore\/OpenAKC\/master\/docs\/resources\/OpenAKC_Demo.gif\")
<\/p>\n