scap3 uses puppetized system users and keyholder to do deployments. The local posix user and the ssh keys are all managed by puppet.
However, labs has special pam settings that keep ANY users not in the labs project from sshing. deployment-prep gets around this by adding exceptions for individual system users that need to be able to deploy.
This is not ideal, because it complicates the process of setting up new deployment targets and users in any labs project. It would be nice if systemusers with properly configured keys were allowed to ssh, even if they aren't in the labs project group.