Hello
How is it working if you want to have certificate based authentication against a big number of linux server? Is it also possible to use it in combo with a windows domain (domain user should be able to login with their domain credentials)

Using RSA or DSA keys (public key cryptography, not certificates per se) works extremely well with large number of hosts and users, and can be configured to (and is configured to, by default, if I recall correctly, in OpenSSH) to fall back to password-based authentication. So, if you configure your AD with necessary POSIX account details, you can use a LDAP PAM module for authentication against AD.

I know of several organizations (mostly universities) where something very much like this has been in active use for several years without any real issues. I am not aware of any where client certificates are used for SSH authentication, although it is of course possible. (I suspect that in general, client certificates are simply not needed, and keys are much simpler to maintain.)

Ok, so it can be set up so you easily can create a new user in one place and let it be able to ssh to the rest of the servers, through, the same goes for setting up a new server?

You mean to allow them to log in without any password or passphrase?

A user’s ssh key you would need to install for each user at all locations, what doesn’t look like the setup you are looking for. But you could set up hostbased authentication, this way all users from the defined sources are allowed to log in.

Yes. You use LDAP or AD for user accounts. You can either store user home directories on an NFS (NFSv4 recommended) server, or let them have separate home directories on each server. Or even a combination, if you like. I recommend using NFSv4, as I've found it most effective (benefits to cost ratio) in the long term. Note that you do not need to have a single NFSv4 server; you can set up a number of NFSv4 servers, and assign each user to a specific server. That needs some assistance from the LDAP schema, so do think and preferably try it out on a test setup first. (Even if it takes some work, knowing it works before rolling it out is very important, right?)

If you use DHCP to give each machine their host name and IP address, your workstations can all be identical. Whichever machine the user uses, they will always get the same (their own) desktop environment. Obviously, the workstations can be cloned, too; you can have a few spare hard drives pre-cloned, and when a problem occurs, just swap the hard drive. If you have time, you can investigate what the problem is; if not, just re-clone the hard drive. You can clone a Linux installation using basic command line tools; I've written some basic scripts to do partitioning etc. automatically, to clone a system to any disk, regardless of size.

It is possible to clone workstations remotely. I've designed some strategies, but none of them are actively used right now. Using package managers to install a system takes much longer than cloning, especially if you have a gigabit network to a server containing a cloneable image. Let me know if you want to know further details.

The servers can also be pretty much identical, except of course for the specific services each one provides. There is no need to run for example Apache on each server, is there?
(The configuration related to human users is identical on all servers: basically LDAP and PAM configuration, and possibly the helper scripts related to SSH key regeneration et cetera the users may wish to do. It does make maintenance easier, especially if you have many servers.)

If you do not wish to use NFS for user home directories, then the first time a user logs in to a server, they will have to supply their password. Since you will be using LDAP or AD, the user will have a single username and a single password, that works for all servers. If it is very important that users do not need to supply their usernames after that, you can write a couple of simple scripts to retrieve the ~user/.ssh/ files from some centralized storage at interactive SSH login, if the files do not exist yet. There are a couple of additional details to take care of, but basically it boils down to 1) users have to use their password for the first login on each server, and after regenerating their SSH keys, 2) having some centralized storage (SSH/SCP only is fine) for the per-user SSH keys, and 3) writing some helper scripts for these. Again, if you need further details on this, just let me know. However, I do believe using NFSv4 is much simpler.