A sensible approach to access control for servers is to use named user accounts with passphrase-protected SSH keys, rather than having users share an account with a widely-known password. Puppet makes this easy to manage thanks to the built-in ssh_ authorized_key type.
To combine this with virtual users, as described in the previous section, you can create a define, which includes both user and ssh_authorized_key. This will also come in handy when adding customization files and other resources to each user.