[dmuth]

Using CAs and signed certificates in SSH is definitely the way.

If anyone wants to play around with that, without the risk of locking themselves out of a server, I built a little "playground" awhile back whihc is a series of Docker containers that can SSH to each other. Give it a try at https://github.com/dmuth/ssh-principal-and-ca-playground

(I haven't touched the project in awhile, so if there are any issues, please open an Issue and I'll gladly look at it!)