
Ditching the Shared Login - otterley
https://segment.com/blog/ditching-the-shared-user
======
otterley
Before anyone asks why we didn't use SSH certificate authentication, it's
because it doesn't provide for separate identifiable logins with respect to
the target. A certificate authority can be a choke point for access control,
but in every setup I've ever seen (e.g. Netflix BLESS) the access is still
granted to a shared user.

You can still audit this way, but it involves joining audit logs with login
logs; we found this less appealing than having the user's individual login ID
directly in the audit trail generated by auditd, sudo, etc.

