On a side note... We've largely solved the "key distribution" problem by storing public SSH keys in LDAP. OpenSSH 6.6+ (I think) has a AuthorizedKeysCommand that can execute a script. We have a script that does an LDAP search to pull the public keys for the incoming user.
Quick glance through the code doesn't reveal any major risks, actually seems to be fairly well written. Author seems to like to write a lot of static methods/utility classes rather than rely on composition using dependency injection... not exactly a modern development style but it's good enough. Author avoids needless abuse of software patterns. It'd be pretty easy to do a security audit on this code base.
