It's a common headache for any enterprise which has a boat load of Linux server, trying to change passwords across all machines. Inevitably the passwords go out of sync because they expire on different dates and you end up spending the whole day changing passwords across all your servers. I'm looking for something that will allow me to change passwords on one server/website/location and it propagates the password across all servers connected to that tool.

I searched the forums and found some discussion on this topic from several years ago, but the environment has changed and new tools have hit the market. So I thought I'd stir the pot again and see if opinions have changed.

The simplest solution to me seems like OpenLDAP, Or Windows AD. SSH key based authentication takes care of the access issue but still doesn't solve the password change problem. We also use Thycotic Secret Server in our environment. It can work with SAML as the back end tool. Gives you a nice web front end to manage passwords and use SAML to propagate passwords to all connected apps. But SAML seems like something designed for web based applications and not local users on Linux servers.

Appreciate any help or guidance you folks can provide.

NIS perhaps?

NIS has security issues that scares corporate clients. It never gets approved.

Then they'd have problems with pretty much ANY large-scale system like this. OpenLDAP is in the same boat with NIS. If you want to use SAML, I've seen things that say you CAN do it, but it may not be too pleasant.

You reference SSH key based authentication...so if you have a root/SUDO user that has keys swapped on all your servers, a fairly simple script could just go through and run something like
Just pass the new password and a user ID as command-line parameters to your shell script, and have it loop through a list of server IP addresses. Change passwords for a user all at once. Or even just run "passwd -e someuserid" instead, and just expire the users password, which will force THE USER to change their own password(s) everywhere.

I'm doing something similar right now, but trying to get away from it as it requires a lot of manual work. I feel some sort of centralized authentication will be much more manageable. Ideally a combination of NIS+ with a password safe is perfect.

Should only have to set it up once, so yes there would be manual work up front, same with installing ANY tool.
Centralized is fine, but you mentioned that 'they' have problems with NIS from a security standpoint. ANY centralized solution would be vulnerable, including LDAP, NIS, or whatever. Only suggested a script because you mentioned 'they' had concerns about NIS security.

You know the environment better; just offering suggestions based on what you posted.

Pragmatically speaking, every Enterprises has some form of central authority for authentication and authorization ... and it's probably also what causes your badge to be authorized when you swipe it or tap it at the front door while trying to balance your coffee-cup. LDAP, MS-OpenDirectory, and Kerberos are common tools that are used for this purpose.

Users can thus "single sign-on" to any computer that they are authorized to use, and they can reach (intra-net "web") and other applications without being further challenged because "they already know who you are, and that you are that person, and what you're permitted to do." The corporate security staff can manage this centrally. And, security auditors can demonstrate that there are no "holes," to maintain compliance with laws.