TACACS_PLUS SSH Certificate Authentication - MarcJHuber/event-driven-servers GitHub Wiki

First and foremost: No, SSH Certificate Authentication is currently not an option.

A possible way to implement this would be based on implementing RfC 7055: A GSS-API Mechanism for the Extensible Authentication Protocol for SSH, where SSHD would forward the SSH EAP packets to an EAP-capable TACACS+ server.

That's basically pretty similar to RADIUS Extension for Certificate-based SSH Authentication, please have a look at the OPSAWG mail archive for discussion details.

Quite a lot of that code actually exists: Moonshot provides a GSS-API implementation, and moving that on to TACACS+ looks viable.