There are very likely going to be cases where ssh public keys should be supplied through the VO instead of self-registration. I believe that could be done through id token claim mapped to metadata that htgettoken sees. It may be sufficient if htgettoken then disallows the --registerssh option if that metadata is seen, while htvault-config continues to allow self-registration which htgettoken just does in a different way (that is, by passing in the public key metadata from the id token).
There are very likely going to be cases where ssh public keys should be supplied through the VO instead of self-registration. I believe that could be done through id token claim mapped to metadata that htgettoken sees. It may be sufficient if htgettoken then disallows the --registerssh option if that metadata is seen, while htvault-config continues to allow self-registration which htgettoken just does in a different way (that is, by passing in the public key metadata from the id token).