We don't really fancy the idea of having to manage ssh pubkeys in lots of places.

Can the ssh access (for git over ssh) part of the Branchable service use gssapi authentication at all? Either by us uploading a key for a service principal in our realm, or by setting up a cross-realm relationship with a realm owned by the Branchable service.

If so, would be interested in any details of how authorisations can be expressed.