The 'ideal ssh flow' involves a program that I think the author has written and a website login. Do these certificates require an existing system running single sign on or similar to hand out access to other machines, in single point of failure fashion?