1. ' local authentication' means not centralised/distributed auth, so the opposite of LDAP.
Which is it you want?
2. if local, then ssh with ssh-auth-keys seems to match.
See also 'PermitRootLogin no' in sshd-config
3. if centralised/distributed; LDAP+TLS
4. chrooting a lot of accts is a fair amt of work unless they are virtually the same, in which case a cfg tool like Puppet may be a soln.
If its just privileged cmds you're worried about, they're not normally available and you can control access with sudo.
5. If this is for a real system, more info would help.