It is now possible in openssh to authentic using trusted certificate authority keys. You can sign a key using a CA key. On the server side the CA key resides. Any key signed by the CA key will be authenticated. This is different from a user generating their own public and private keys (the typical key based scheme for ssh authentication). The mechanics of making it work can be found here.
From the previous link:
client: 1) ssh-keygen -f ca_rsa # generate a ssh keypair for use as a certificate Server(s): 2) make sure your /etc/ssh/sshd_config has TrustedUserCAKeys assigned TrustedUserCAKeys /etc/ssh/sshcakeys # or whatever name or location you like 3) edit /etc/ssh/sshcakeys and add the contents of ca_rsa.pub in it Client: 4) for a user generate a certificate of its public key ssh-keygen -s ca_rsa -I keyid -n user id_rsa.pub This will generate an id_rsa-cert.pub certificate file Client: 5) ssh user [at] serve # connect to server using the certificate