Using 2FA is all well and good but what I haven't found is a good solution for managing ssh keys for an organization/group. Would love to get some recommendations here.
I tend to store authorized ssh public keys in a database then configure all servers with the appropriate AuthorizedKeysCommand in sshd_config to fetch them on the fly.
I also tend to include some form of caching in case the connection to the database is broken.
With this I can maintain keys for an entire cluster centrally.
This is all in place with open source configuration and tooling on https://hashbang.sh (https://github.com/hashbang). It is implemented with LDAP+sssd there. Feel free to pop in as we love discussing this stuff.
We have done similar with etcd as the backing database at my employer.
I also tend to include some form of caching in case the connection to the database is broken.
With this I can maintain keys for an entire cluster centrally.
This is all in place with open source configuration and tooling on https://hashbang.sh (https://github.com/hashbang). It is implemented with LDAP+sssd there. Feel free to pop in as we love discussing this stuff.
We have done similar with etcd as the backing database at my employer.