[tptacek]

Every serious shop of any real size is already managing an OIDC IdP (you need one for whatever SAAS apps your team is using along with any internal web applications you're using). Why not just link it to something that can issue short-lived SSH certificates? That's also the cleanest way to get strong multifactor auth for SSH (certificates issued only through an OIDC progress minted with MFA requirements).

Setting up Kerberos in 2026 feels somewhat close to malpractice to me.

[gnufx]

I'm happy for anyone who doesn't have MS Windows/Active Directory -- so Kerberos -- in their organization, but I'd need (Free)IPA or similar for user/access management anyway. Certificates are an extra layer of SSH-specific complexity, which concerns me for security even if it doesn't involve some third party. MFA is needed once a day, say, for SSO to all Kerberized services. [As I understand it, "managing an OIDC IdP" includes shipping the contents of Active Directory to Entra, heaven help us.]

> Setting up Kerberos in 2026 feels somewhat close to malpractice to me.

Microsoft (if that means anything, but they've done good work) and Red Hat obviously disagree, along with decades' experience. It is malpractice not to secure NFS mounts (and other network filesystems with sensitive data), and that means Kerberos.