[jamescun]

Generally this should be managed by configuration management (Chef, Puppet et al), which makes key additions and revocations trivial.

Additionally OpenSSH supports CA signing of public keys with user metadata, which I've found to pair nicely with LDAP.

[Karunamon]

Yeah... coming at this from the standpoint of a heavily invested Saltstack user, I really don't see the reason for this to exist. It removes all the other cool things SSH does besides just giving you a shell, with a much, much worse user experience.

[teacup50]

OpenSSH now also supports external authorized_key handling via AuthorizedKeysCommand, and thus simple integration with LDAP:

https://github.com/AndriiGrytsenko/openssh-ldap-publickey

[amalag]

Can you elaborate on the CA signing with OpenSSH? You have a CA verify keys with metadata and then use LDAP to verify that metadata? It sounds very interesting.