SSH certs signed by your own central CA (Most people aren’t aware of it, but OpenSSH can use CA certs), I usually set things up for ansible that way, but, of course, it works just fine for actual users, too (Why no ansible, though? It’s an extremely lightweight option that simply reduces common mistakes).