Back to blog

How to audit SSH access across your fleet

A practical checklist for teams who need visibility into who can SSH where, and why ad-hoc key management makes audits painful.

Why SSH access audits fail

Most teams treat SSH access as something that "just works" until an audit, an incident, or a departing contractor forces a review. By then, authorized keys are scattered across servers, shared between people, and rarely tied to a clear owner or expiry.

A useful audit answers three questions:

  • Who can access each server, and as which account?
  • When was that access granted, and when should it end?
  • What SSH activity happened while access was active?

Without a system of record, you end up grepping authorized_keys files and Slack threads. That might satisfy a checkbox once, but it does not scale.

What to look for on each server

Start with a sample of production hosts—not just the ones you remember. For each server, collect:

  1. Every public key in authorized_keys for each login account
  2. Who owns each key and whether it is still needed
  3. Whether any key is shared between multiple people
  4. Whether keys have expiry or are effectively permanent

Red flags include keys with no owner, keys that outlive the project they were created for, and break-glass accounts that never get rotated.

Tie access to people and purpose

Audits are easier when access is granted as a permission: a person, a server account, a schedule, and a reason. That model maps cleanly to review workflows—managers can confirm their team still needs access, and security can spot permissions that should have expired.

GrantSSH is built around that model. Permissions define who gets which server account, for how long, and the agent keeps authorized_keys in sync on each host. SSH activity is collected so you can correlate logins with active permissions.

A simple audit rhythm

You do not need a quarterly marathon. A lightweight rhythm works better:

  • Weekly: review new permissions and anything expiring soon
  • Monthly: sample a few servers and confirm keys match active permissions
  • On offboarding: revoke permissions immediately; do not rely on manual key removal

Document what you checked and what you changed. Auditors care about repeatability more than perfection on the first pass.

Next steps

Take control of your SSH access

GrantSSH gives teams a clear, auditable way to grant and revoke SSH access. Create your account and get started in minutes.

← Back to blog