Passphraseless keys have their uses, provided that they're used for role-
specific work and are heavily locked down on the server. I've used such
keys with hosts="...",command="...",no-foo restrictions and it's a much
better option than the alternatives -- if you use a custom daemon, you have
to worry about buffer overflows pre-authentication, whereas ssh-based
automation lets you ensure authentication over an established protocol
before getting into the custom code for handling some specific task.
At $previous_employment, we had bastion hosts for remote access based on
two-factor auth, and then SSH from those hosts to further in. I ran an
audit for passphraseless keys there, found some, and others with passwords
so simple that a naive brute-force unlock, written in shell, could find
them. Those got reported to the managers of the staff involved, who could
deal with the people problems, and we then just ran the new audit
So, two-factor auth to get in, SSH with passphrases and education about
using ssh-agent to move about. Worked well enough.