[seanp2k2]

This is one of many great reasons to rotate them regularly in an automated way. e.g. https://derpops.bike/2014/06/07/ssh-key-rotation-with-ansibl... or update it in your master image / wherever it comes from if doing immutable system images for deployments.

edit: also, use a bastion host which has the keys on it and don't allow them to be removed / used from laptops directly.

[xorcist]

Let your Puppet/Ansible clear out all non-managed keys. If it's not in version control, you don't know who did what when. That's a nightmare as soon as you are more than two admins.

Also, the CA mode of OpenSSH is great. More people should use it. It's like PKI but sane.