How is what we're doing less secure than, say, provisioning servers through a provider like Linode that gives customers a web-based access panel? (One can use their provisioning tools to create users with root access.) Also, running a daemon may make folks more comfortable, but the reality is that the daemon still has the ability to add users, which in turn can be used to log in. Running things through a daemon certainly makes monitoring and firewall setup more manageable, though, and we're working on it.
LDAP is a bit of a headache to set up for some shops.
A daemon could be smart. Only allowing certain operations (e.g. adding non-root users) and it could send email directly to the account holder informing them every time it does so. SSH access doesn't even need to be open for a daemon to poll. Even if a hacker managed to add an account they might not be able to use it.
Whereas your current method requires remote root SSH to be accessible from at least your network. Hacking you means immediate unfettered access to every one of your users.
I'd recommend a daemon and explicitly telling people to firewall off SSH from anywhere that isn't their own network.
I think you're right - we should include those instructions for now, and provide a bastion-as-a-service later. The daemon route is clearly preferable for customers, so we'll build that out (we already have manual key-adding confirmation, and we record the IPs of people who attempt to download/upload keys).
I would note, though, that if we're hacked, the attacker doesn't get access to the users. We actually don't store the encryption keys for the deployment keys; the client does. Still, the daemon route is what we need to do. Thanks for the feedback.
LDAP is a bit of a headache to set up for some shops.