[OrvalWintermute]

I might not disagree with you there.

However, for all its warts, x509 due to hardware implementations, seems a great deal more secure than sitting on the FS SSH host certificates.

[fmajid]

OpenSSH supports FIDO keys since 8.2p1 and has supported smart cards via GPG longer.

[Reitet00]

Yeah. Actually ssh agent speaks PKCS#11 (both client and server) so it's possible to interface with the hardware token quite easily. I'm using that to store my client key in TPM for example.