Shared Credential might be restricted by most Information Security Policies but they are still necessary for specific use cases in most organizations. Not only is the sharing of passwords/keys risky, but you lose valuable auditing/forensic information on the destination should anything go awry: activity can only be tied back to the shared user id.
In Smallstep SSH Pro you can eliminate half the problem adding principals to group in the admin UI.
- Control which USERS have access to the machine
- Enforce user login via IDP
- Allow staff to log in as different users if needed (i.e. a shared deploy user)
- No sharing of keys/passwords needed
- No rotating keys when someone leaves, just remove their access in the IDP
Navigate to the Group Section of SSH Pro administration:
Note on the summary screen you will see a section for Principals
At the right choose to edit the Group
At the bottom of the screen is the section to add a comma separated list of Principals