[SAC] Question about switching to SSH key based logins

Apologies for not the making the last meeting. Just going over the notes.

For "TODO: All people with shell access should change their passwords
and only log in with ssh key."
Is there a recommended method by which we plan to install people's keys?
How does this help if people still need to use passwords to elevate to
sudo and that hit's LDAP? I do realize it does at least remove sending
passwords for logins.

I think we found deploying keys via LDAP to be a dead end. The only
other method I've used is Puppet, where the public keys are kept in a
repo and configured to deploy to particular machines.

Any other ideas?