Feature Request: Restrict Visibility, Copy, and Export of Private SSH Keys in a Shared Vault

Gladly.

The way to allow multiple people, each of whom has their own key pair (private and public), to log in to an account is to add all their public keys to the account's `authorized_keys` file.

To illustrate, consider to account operator@server and you and I as users who may log in to it.

ajcxz0@client1:~$ ls .ssh/id_ed25519{,.pub}
.ssh/id_ed25519  .ssh/id_ed25519.pub
ajcxz0@client1:~$ cat .ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPZhOtzFR5MheT82aSqd6PUUZI7dXuH95gAWWDrnvCk Andrew J. Caines

jay@client2:~$ ls .ssh/id_ed25519{,.pub}
.ssh/id_ed25519  .ssh/id_ed25519.pub
jay@client2:~$ cat .ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAO1UzY/zvVz0Yi/SLp7JTRidicOSgoS5WQEMdXE0NmC Jay

operator@server:~$ mkdir -v -m 700 ~/.ssh
mkdir: created directory '/home/operator/.ssh'
operator@server:~$ cat > ~/.ssh/authorized_keys << EOF
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPZhOtzFR5MheT82aSqd6PUUZI7dXuH95gAWWDrnvCk Andrew J. Caines
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAO1UzY/zvVz0Yi/SLp7JTRidicOSgoS5WQEMdXE0NmC Jay
EOF

ajcxz0@client1:~$ ls .ssh/id_ed25519{,.pub}
.ssh/id_ed25519  .ssh/id_ed25519.pub
ajcxz0@client1:~$ cat .ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPZhOtzFR5MheT82aSqd6PUUZI7dXuH95gAWWDrnvCk Andrew J. Caines

jay@client2:~$ ls .ssh/id_ed25519{,.pub}
.ssh/id_ed25519  .ssh/id_ed25519.pub
jay@client2:~$ cat .ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAO1UzY/zvVz0Yi/SLp7JTRidicOSgoS5WQEMdXE0NmC Jay

operator@server:~$ mkdir -v -m 700 ~/.ssh
mkdir: created directory '/home/operator/.ssh'
operator@server:~$ cat > ~/.ssh/authorized_keys << EOF
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPZhOtzFR5MheT82aSqd6PUUZI7dXuH95gAWWDrnvCk Andrew J. Caines
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAO1UzY/zvVz0Yi/SLp7JTRidicOSgoS5WQEMdXE0NmC Jay
EOF
$ chmod -v 600 ~/.ssh/authorized_keys
mode of '~/.ssh/authorized_keys' changed from 0644 (rw-r--r--) to 0600 (rw-------)

With your and my ED25519 public keys - one on each line - in operator's `authorized_keys` file, you and I (and no-one else*) can log in as operator on host server.

Think of the key pair as the way to identify the person (even if it's an account for an automated process) and presence of the person's public key in the `authorized_keys` file for an account (i.e. a user on a host) as the granting of access to it.

*[Weak authentication methods such as password are disabled on server.]