I want something that'll integrate auth across SSH, web (ideally including SSL, with the option of authenticating with either client-side cert or password, like they do at MIT), and whatever applications want to use it.
Kerberos seems to best fit what I want, but tool support seems surprisingly poor.
What do people use these days?
One option to consider is LDAP. Password-wise it works for SSH and web. There are also LDAP schemas for storing certificates, so it could be made to work for cert-based authentication (but I've never seen that in practice, so it is either hard, rare or both :)
LDAP has the benefit of a bunch of tools ranging in quality from "I am going to slit my wrists!" to "this isn't horrible", so you should be able to find one you like (or at least don't hate :).
One LDAP downside: as far as I know the only way to authenticate against centrally managed ("in LDAP") SSH public keys is to apply a patch to openssh, so you're still stuck distributing authorized_keys files everywhere.
I agree with voretaq7, but please also consider a solution where the LDAP server passes authentication through to a Kerberos server.
LDAP can be used for storing user details, and for authentication from tools that don't support Kerberos, like PHP.
Kerberos allows for semi-passwordless SSH and LDAP (among other things) authentication. You get one Kerberos ticket (say by SSHing into a host), and then won't be asked for your password again SSHing into another host, or using ldapmodify.
This is how Active Directory works internally. Kerberos is used for authentication, and LDAP is used as a user database.
