SSH certs signed by your own central CA (Most people aren’t aware of it, but OpenSSH can use CA certs), I usually set things up for ansible that way, but, of course, it works just fine for actual users, too (Why no ansible, though? It’s an extremely lightweight option that simply reduces common mistakes).

How do y’all feel about FreeIPA? I deployed it a couple of times and I quite like it, but it’s not something you can whip up in an hour or two. The list of gotchas and “deployment considerations” all but guarantee you’ll have to reinstall the server at least a couple of times.

“Give everyone the same username and password” super fast, no need for account management