openSUSE admin

Generally authorized keys for SSH are managed through Kanidm. But many machines have entries in local /root/.ssh/authorized_keys files. There are a few situations where they are legitimate (for example as an emergency hatch to the Kanidm servers themselves), but in most cases they are unnecessary backdoors. Using ssh as root directly circumvents our auditing measures and having the file unmanaged can cause access of disabled users to certain machines to remain. Avoiding issues with failing LDAP authentication should no longer be a legitimate reason since we switched from sssd to kanidm-unixd, which does better at caching and fault tolerance.
Hence we should manage and enforce /root/.ssh/authorized_keys through Salt (can be done through the users formula pillar), to ensure all key entries not explicitly listed in the repository on a role or machine basis to get and stay deleted.

It should additionally be evaluated if there are machines with other unmanaged local accounts which might need the same treatment.