https://gitlab.com/secsh/pkixssh
http://tech.ciges.net/blog/openssh-with-x509-certificates-ho...
Right now I'd stick with something like Gravitational Teleport (overkill); Warpgate may become the perfect fit for this niche soon.
https://github.com/warp-tech/warpgate
It's also worth knowing about SSH clients that can use X.509 certificate keys as normal pre-shared keys with any SSH server, like PuttyCAC and built-in for macOS High Sierra and later.
https://www.idmanagement.gov/implement/scl-ssh/