An alternative (but also imperfect) solution that I've relied on in the past is using certificate-based authentication:
This still requires the generation of certificates for users but it doesn't require updating the key material on the servers themselves. Having short-lived user certificates then gives the admin an easy way to revoke access to a server without changing any keys there by simply not issuing a new certificate to the user (and in urgent cases to also revoke the certificate as well before it expires, which requires intervention on the server though).
I really hope that OpenSSH keeps improving their (still largely incomplete) PKI implementation, as I think it's a great feature for larger organizations.
They apply BeyondCorp style management for both server and web access.
There is also Teleport by Gravitational: https://gravitational.com/teleport/
Along with something like Packer to bake the cert right into the image.
With our API, some customers are creating dynamic access rules (for example, an on-caller might have 'sudo' during their on-call week, but not at other times).
Like a hosted FreeIPA, but more powerful.
Now of course this is both a trust and a escalated privilege issue. But a lot harder(impossible) with keys.
As an example already put together: https://github.com/jirutka/ssh-ldap-pubkey
With Ansible, one can put the SSH keys into a .yml file in a format that is very similar to the examples in the OP, then the authorized_key module can be used to ensure that the key is present (or absent) on the remote servers. It's really-really trivial.
Maybe the difference is that you can paste the SSH key into the CLI instead of a file... hm.
Distributing accounts and SSH keys via any configuration management system is clunky by comparison, and scales badly when you get to many hundreds of users and thousands of servers.
Ansible is perfect for deploying SSH keys.
If you're in AWS, you can also look at Bless, which is Lambda-hosted and mints short-lived certificates with a command-line client:
This does not work for interactive terminal use cases, but does work (in my experience) if you’re targeting immutable instances. It also has the lovely side effect that you can create scheduled tasks within the AWS control plane (if that’s your cup of tea).
Example SSM client: https://github.com/itsdalmo/ssm-sh
Disclaimer: I’m implementing this in a large enterprise environment.
Therefore it wouldn't surprise me if this scene is most popular with Germans and others nationalities only regard it as a funny, exaggerated sequence. Whereas for Germans it hits close to home.
Permit A38 refers to a scene where the protagonists are referred multiple times within a overly beaurocratic Roman administrative office, so it has become sort of synonymous with a Sysiphean task in German language (at least in limited circles).