Plugins » Foreman Remote Execution

This also mean we have to introduce private key management in Foreman, the key can differ per user/hostgroup/host etc. We could use parameters as a storage but private keys are sensitive data and parameters do not help with different key per user scenario.

Is there a story for per-foreman user keys to hosts? I would think we have one key per smart proxy, and use foreman access control/auditing for users.

There's no story about this in the original design AFAIK but it seems natural to support more keys for one proxy. Maybe per user is too much for now, but I don't see big difference.

I view an SSH keypair for a proxy similar to a client SSL certificate - its the cryptographic identity of that particular proxy, what's the use case for having more than one?

I would suggest the default setup be each proxy has only one keypair.

By more keys for one proxy I meant more keys can be used through one proxy, sorry for bad wording. The idea is that every user would use his own private key (or each host, hostgroup, location, ...) so when one key is compromised, not the whole infrastructure is compromised. Also it would add additional level of granularity, so you could limit users <-> targets access. Anyway it's probably more like "would be nice" or "food for thought" in this phase.