opkssh (https://github.com/openpubkey/opkssh) it lets you configure OpenSSH so you can ssh using your OpenID Connect identity without adding a trusted party other than the IDP. I'm trying to figure out how to TOFU a MFA HW token (yubikey) on first login so we don't even have to trust the IDP. The trick part is to design so if you lose your HW Token you aren't locked out without reintroducing trust. Maybe use a backup code or backup yubikey or the DKIM trick to allow timelocked resets of the HW Token via an email.