Good procedure?

[Stef Bon]

Hi,

I'm looking for a procedure (on paper first) to provide users on hosts
session keys to login to servers providing services like file, print
or even access to internet or a sql db.

The first step is that user has to authenticate on the local host via
password. Paswword and usernames are centrally managed via ldap (or
simular).

The second step is that the user on host logs in to the CA server,
using it's password, it's private key and the hostkey. If success,
then it gets a public session key (the private is kept on the CA
server) it can use to auth to ssh/sftp (etc) servers.

Is this a good procedure?

Stef