Currently looking at bastion/jit solutions to move away from ssh keys. Two options we’ve looked at were PrivX from ssh.com and ScaleFT (now owned by Okta). Both offer role based access to servers. PrivX seems better because it allows ssh session recordings with metadata playback search. Perfect to find out who ran the wrong command and what happened before and afterwards. They also keep a copy of any files transferred in/out over the ssh session. ScaleFT is good it’s very expensive compared to PrivX.
But we are looking at using a service like this as we move to zero trust.
Check out our open core version as well: https://github.com/gravitational/teleport/
(I work at Gravitational)