[dcow]

Doesn’t this require the server to consult the IDP on every log in, though, to make sure the id token is valid? One of the staples of ssh from a UX standpoint is that it’s peer to peer.

[lxgr]

I suppose you could do something based on IDP-signed tokens, e.g. "valid for authentication to service x until <timestamp>"?

[megous]

This is basically a ssh certificate then.

[pluto_modadic]

the difference is in /key management/. Key management is the hard part. Especially keyless SSH management. (things like sigstore's rekor/fulcio remove some complexity here). It is not "just a (manually generated) ssh certificate"

[XorNot]

Kerberos tickets have timeouts on them already, it's a matter of configuration how long you wait.

The thing is most enterprises want "user disabled" to be instant.

Which of course leads to SSH keys all over the place anyway.