At our office we have a very simple policy regarding passwords and SSH:
- No normal user account has a password
- Root account has a password but is not allowed to login remotely using it
('PermitRootLogin without-password' in /etc/ssh/sshd_config)
- All automated processes must be key-based and never to the root-account
(if root access is necessary it should always be through some functionality
specific wrapper which will be explicitly allowed to be executed as root
through 'sudo' by that user)
- All other remote logins by admins and developers is done using smartcards
which make it impossible to copy the private key.
We also set additional information when a specific key is used so that we
have better auditing and also per user settings in role accounts.
The one thing that SSH is really missing (and which at some point some work
was being put into) was a PKI infrastructure. PKI infrastructures are
notoriously cumbersome, but for corporate settings they can easily be
integrated into the normal procedures. A PKI infrastructure makes
authorizing users and disabling compromised keys a lot more manageable when
you have 50+ servers.