[druiid]

If you're using a Vault system, it's also relatively easy and well documented to use Vault for this process. There's two components, which is the OTP configuration of Vault itself:

https://www.vaultproject.io/docs/secrets/ssh/one-time-ssh-pa...

You also have to configure the servers to support Vault, using their PAM integration:

https://github.com/hashicorp/vault-ssh-helper