How does your organisation manage employee SSH keys?

Question

I've seen a variety of approaches, ranging from* manually deployed by an infra team in response to JIRA tickets* checked into a repo and deployed with saltstack, along with a cronjob to sync with G-Suite so that keys would be automatically removed when people left* SSO integration through AWS systems managerWhat have you seen tried? What worked well, what didn't?

mmh0000 · Accepted Answer

FreeIPA[1] (or Red Hat IdM if you like to pay for things) is what I've always used to solve this problem. IPA can setup cross-realm trusts with Microsoft AD.
So weather you're a Linux shop or a Windows shop, you get a single interface where disabling a user account disables the users keys.
[1] https://www.freeipa.org/page/Main_Page