Install single SSH key multiple times on single machine via puppet
You are correct that the main concept of your solution is wrong, but I think it is wrong far earlier than you suspect. The best practice is to not share accounts; each user should have an individual account and use sudo
to perform tasks that require alternate privileges. If you honestly must share one or more accounts, then allow your users to sudo su - ACCOUNT
instead of logging in directly as ACCOUNT. For example:
user { 'alice': groups => ['developer', 'deployer', 'root'] # other params... }
ssh_authorized_key { 'alice': #params }
Then add appropriate entries in your /etc/sudoers
(also hopefully managed by puppet!):
# deployer group can run the deployment script without a password.
%deployer ALL = NOPASSWD: /usr/local/bin/deploy
# developer group can run commands as 'developer'
%developer ALL = (developer) ALL
# or, if you actually *must* allow them to log in as 'developer'
%developer ALL = /usr/bin/su developer