Smallstep is an identity management software that provides single sign-on and a lot of detailed access control in order to improve security. There has been interest in making ThinLinc work with Smallstep to improve security. Smallstep has existing support for improving security with SSH. It uses certificates to get rid of TOFU, and it also uses short-lived certificates that are fetched for each connection to make sure authentication and access control is fresh. Unfortunately, this is partially handled in a magical way, so it is unclear how this would integrate with ThinLinc. The certificates are stored in an ssh agent (unclear how this conflicts with e.g. GNOME's ssh agent), so that is fairly clear. However, since the certificates are short-lived, a command needs to be run before each connection to make sure they are up to date. Smallstep recommends configuring ProxyCommand for this, or users have to run "step ssh login" before connecting.
