[XorNot]

Kerberos tickets have timeouts on them already, it's a matter of configuration how long you wait.

The thing is most enterprises want "user disabled" to be instant.

Which of course leads to SSH keys all over the place anyway.