It would be very useful to be able to share just the public key of an SSH key pair to a collection, while keeping the private key in your private vault.
This would enable us to:
- Automate deployment of public keys from the collection (using Ansible, for example)
- Let users manage their own keys, and reuse the same keys for non-automated systems
- Simplify key management for less technical users (using the built-in key generation)
- Keep machine accounts (Ansible, etc) from being able to see private keys
- …all while using the SSH Agent on the user side
- …and not needing any manual extra procedures
Our option is to set up a CA, but we would prefer not to at this moment. We also have quite a variety of systems, in a lot of different environments, so we still need SSH keys at the end of the day anyway.