Not exactly. Yes, the certs expire, so they can't log in again, but existing sessions are not terminated.
With Userify, sessions (like tmux or screen) actually get terminated within seconds when the user's access is removed. That doesn't happen at all with certificates.
If someone's certificate expires, but they're still logged in, they'll stay logged in, because there is no mechanism to kill their session (and they can channel all kinds of things over their logged-in session).
Fair point - in the case of a revoked cert, it'd probably be feasible to just watch the revocation list and pkill a user's sessions - with an expired cert, I'm not sure if there's anywhere to watch for that state-change.
Probably the best one could do out of the box is set an 8 hour session limit or so?
