To me keys are just bad news all around for any organization.
Kerberos all the way. That is really the only way to do it and it's sad
that it's still a PITA to get something that should be dead simple
There is a reason why the OpenSSH folks refuse to implement PKI, which is
really what you want to do if your into key management. There are just lots
of problems to a approach like that. Kerberos is just much better.
If you want to do things securely without kerberos then a option is to do a
combination of passwords with a one time password. There are numerous
little doo-dads you can do that as well as programs you can install on a
cell phone or other java-enabled device.
Now it sucks because a lot of people use ssh keys for automation. I think
that there has to be a better way.