> authentication targets are gated and only reachable by establishing a tunnel via some kind of forwarding?
No, it's just how you authenticate with signing keys. Given that a secure channel has been set up with ephemeral keys, you can sign a commitment to the channel (like the hash of the shared secret key) to prove who you are to the other party.
> let users authenticate via SSH and then return a short-lived token that can then be used to log into an application (or even a SSO service)
This is exactly what I recommend. If everyone did this, then eventually then the browsers or 1password could support it.
I understand the appeal of Salesforce, though in my experience it is just as clunky and slow as the software it replaced. I'm sure there are configurations that are not that way, but it's a horrible part of my day to day experience using it as a customer support module. Comments take 4 seconds to add. Opening a case in a new tab is 30 seconds or more. Comments and feeds load progressively, slowly, making it nearly impossible to get to the beginning of long discussions. URLs are long and crazy and have no useful info or anything cool in them. We've had Salesforce consultants and experts come in and gain a second or two here or there but it's been an awful experience over the last 5 years.
To me the screwed up part is companies that sponsor this stuff like Red Bull.
I was working right next to this tragic Base jump - https://en.wikipedia.org/wiki/Ueli_Gegenschatz - we used to eat lunch in the Sunrise Tower and one day there's a really weird vibe in the room because 30 minutes earlier this guy had Base jumped from the roof and crashed; he was still alive when they took him to hospital but died later.
The screwed up part of the story according to what I've _heard_ - and which didn't really get well reported - the wind conditions that day were unpredictable. He shouldn't have been jumping at all, but decided to anyway because Red Bull - the sponsor - plus the press were there and he didn't want to disappoint everyone by cancelling. So you could argue it was his decision, but was it really? There should at least be some independent referee that makes the final call on stuff like this.
No, it's just how you authenticate with signing keys. Given that a secure channel has been set up with ephemeral keys, you can sign a commitment to the channel (like the hash of the shared secret key) to prove who you are to the other party.
> let users authenticate via SSH and then return a short-lived token that can then be used to log into an application (or even a SSO service)
This is exactly what I recommend. If everyone did this, then eventually then the browsers or 1password could support it.