which is better for sudo: ldap accounts or sudo auto via ssh keys?

[Aleksandr Miroslav]

I have a bunch of servers that I'm trying to tighten down.

>From a security standpoint, which would be more secure:

- having users login from an ldap account and use that same password
to authorize themselves to sudo


- or do away with passwords entirely and have them login with ssh keys
only (easy to do) and then authenticate to sudo with ssh keys (from a
search, apparently this is doable). I would also like to enforce that
the ssh-keys have passwords on them

thanks,
Alex