I received many good ideas of how to do this, in particular to use signed certificates instead of public-private keys.
One big question remains for me: how do you avoid that users who get access via a certificate to a server, simply add a public key to .ssh/authorized_keys and then can access the server also without a certificate from then on?
If a user has root access via the certificate on a server, they could always manipulate that, right?
1. If at all possible, avoid giving anybody (even yourself) root access.
2. You can move the authorized keys files to a different location. See https://serverfault.com/questions/313465/is-a-central-locati.... That’s not hacker-proof against users having root access, but will prevent users of good will from doing the wrong thing.
3. Depending on OS/file system, you may be able to make .ssh/authorized_keys immutable, even for root, on the server. For example, FreeBSD has the “system immutable” flag. Files with that flag set can only be modified after booting in single-user mode (https://www.techrepublic.com/blog/it-security/freebsd-file-f...)
If they're evil, then after giving them root access, you can never take it back again. They can do anything to persist their access, and you will never forsee what they could do, so you shouldn't try.
If your users are careless, a simple note at the top of authorized_keys saying "Don't add anything to this file plz without asking the security team" should be sufficient.
https://man.openbsd.org/sshd_config#AuthorizedKeysFile
Other useful options are AuthenticationMethods and AuthorizedKeysCommands.
I'm sure that you could either build your own using xterm.js [0] or by using one of the many projects that implements it. I'm not sure if systems manager uses this project but it certainly looks very similar.
See e.g. this thread: https://news.ycombinator.com/item?id=24157781