[gnufx]

I'm happy for anyone who doesn't have MS Windows/Active Directory -- so Kerberos -- in their organization, but I'd need (Free)IPA or similar for user/access management anyway. Certificates are an extra layer of SSH-specific complexity, which concerns me for security even if it doesn't involve some third party. MFA is needed once a day, say, for SSO to all Kerberized services. [As I understand it, "managing an OIDC IdP" includes shipping the contents of Active Directory to Entra, heaven help us.]

> Setting up Kerberos in 2026 feels somewhat close to malpractice to me.

Microsoft (if that means anything, but they've done good work) and Red Hat obviously disagree, along with decades' experience. It is malpractice not to secure NFS mounts (and other network filesystems with sensitive data), and that means Kerberos.