I’m about a week away from deploying a Business Unit to AWS and I’ve been puzzling over this problem for a while. I’ll lay it out for you.
We have about 20 people who will need varying levels of access to different systems. I don’t want to allow them to share keys, but I also don’t want to have to manually add pubkeys to authorized_keys.
Ideally, a solution would exist where there’s some sort of PAM that authenticates the user’s key against an external key management server.
Part of the problem is that this deployment will quickly scale up to 5000 instances and that’s going to be impossible to manage manually.
As suggested Ansible is really awesome for basic SSH key management a big pro for me is the ease of disaster recovery. I’ve run solutions like samba AD before and while it was generally rock solid rebuilding from scratch was always somewhat of a hassle. If it was only a medium sized deployment going the Ansible way would probably be great but in your case having a true identity management solution like FreeIPA available might be better.
I’ve also been keeping an eye on solutions like Aker but at the moment I would not describe it as production ready but it might be great for future integration with FreeIPA.