Ask HN: How does your organisation manage employee SSH keys?

2 points by rjst01 ↗ HN
I've seen a variety of approaches, ranging from

* manually deployed by an infra team in response to JIRA tickets

* checked into a repo and deployed with saltstack, along with a cronjob to sync with G-Suite so that keys would be automatically removed when people left

* SSO integration through AWS systems manager

What have you seen tried? What worked well, what didn't?

1 comment

[ 3.0 ms ] story [ 12.7 ms ] thread
FreeIPA[1] (or Red Hat IdM if you like to pay for things) is what I've always used to solve this problem. IPA can setup cross-realm trusts with Microsoft AD.

So weather you're a Linux shop or a Windows shop, you get a single interface where disabling a user account disables the users keys.

[1] https://www.freeipa.org/page/Main_Page