TL;DR: What is the best way to mount user homes via SSHFS (or any other encrypted protocol) at login while enforcing the use of security keys like Yubikeys and Nitrokeys?
The long version:
I need to build a new network consisting of (initially at least) one central server and multiple clients. Idea is to let the clients boot via PXE and then mount all needed folders via SSHFS. That should be no problem at all with a correctly configured pam_mount if I only wanted to use username and password, but I also need to enforce the necessity to use a Yubikey as second factor to unlock the SSHFS mounts.
Do you know of any more or less ready-to-use solutions which I can use to reach my goal?
For the sake of completeness of course I also had a few ideas, but I don't know if one of them is actually feasible:
Using pam_exec in combination with a custom script acting as a wrapper around all necessary steps. A server daemon would check the basic authentication using username+password, and, if successful, respond with a (FIDO2) challenge which the client would use to generate a FIDO2 assertion which again the server could check and, if successful, generate a temporary SSH key of which the public key would be added the authorized_keys file and the private key be returned to the client. After a specific amount of time the server would remove this entry again. I am quite sure this is feasible.
Again using pam_exec and a custom script but this time adding Keycloak to the server setup, so that the server daemon would act as a Service Provider in terms of OpenID Connect. I think, the problem here is that the client (wrapper) script would need to be able to authenticate to Keycloak because "Direct Grant"/"Resource Owner Grant" cannot be used with two-factor authentication based on hardware tokens.
Thanks in advance for any hint.