i'd like to allow user 'devel' to login to any other server using public keys as user 'devel'. This user is not a human, but a scripting-only account. How can I accomplish this? Is Puppet the right way? How does each source server receive the necessary key material? I am very aware of the how private and public keys are used for SSH authentication and the degree of confidentiality that goes with private keys.
Assume there are 100 servers, and private & public keys need to be changed every 90 days.
This looks like a possible use case for Hashicorp's Vault.
The SSH Backend allows two modes of operation:
one time passwords, which require installation of a helper component on each server which verifies users with Vault - beforehand clients query Vault though an API and for every access a new password is issued
dynamic key - basically a proxy (in the sense of doing work for you) server generating key-pairs, issuing private key for clients and installing public ones on servers - with this method you need to distribute the Vault's "permanent" SSH key to servers, but then can set the expiration for keys issued to clients - when a key-pair expires, Vault removes th the corresponding public key from servers
Either method can be automated for scripts. They would still need to authenticate with Vault, but you have a single point of control.