Using certificates with SSH is the way to go for shared access servers. Here's an open source way (yes, I'm involved in the project) to manage authorization and access with asynchronous approvals:
Smallstep also offers an open source ssh-aware kms-backed certificate authority.
https://github.com/smallstep/certificates
One nice advantage is its support for different provisioning flows. The oauth flavor allows you to hook into an existing identity provider to authenticate certificate requests.
Simply:
$ step ssh login