[unixhero]

Thanks a lot, great hardening considerations.

It would be interesting to hear what you think of Keykloak.

[LinuxBender]

Sorry I have never used it so I don't have an opinion. That looks like an oauth/openid/saml ssh integration?

[unixhero]

Yes and I have met it once when at a huge Telco, while doing my bastion host in AWS a security architect installed this and used Keycloak as the policy engine to allow connections using SSH keys. It worked really well and also gave us a very strong granular control on who could connect, and a great audit trail.