Features
Everything you need to control SSH access, and nothing you do not
GrantSSH is focused on permission-based access, clear schedules, and auditable activity. The features below show how teams keep access tight without changing how SSH works.
Permission model
Tie a team member to a server account with a schedule. Access requests include a reason for approval.
Local enforcement
The open-source agent updates authorized keys on each server.
Audit visibility
SSH logins, disconnects, sudo use, and failed login summaries from your servers.
Permission-based access control
Access is defined as explicit permissions. Each permission maps a team member to a specific server account on a specific server, with a schedule if needed.
Granular by server account
Permissions are granted at the OS user level, such as deploy or
ubuntu.
Member groups reduce repetition
Grant access to a group of team members at once. Permissions are still defined per server and server account.
Roles match responsibility
Members request access, managers approve, and owners manage membership. Each role has clear boundaries.
Approval workflow
Requests can be approved, rejected, or adjusted before a permission is created.
Scheduling that keeps access tight
Permissions can be permanent, date-based, or time-windowed. Access follows the schedule automatically.
Permanent access
For long-term roles that require ongoing SSH access.
Date range access
Grant access for a defined start and end date, such as a project or engagement.
Time windows
Allow access only during specific days and hours, such as on-call rotations.
Enforcement happens on your servers
The open-source agent runs on each server and keeps authorized keys aligned with the current permissions. There is no SSH proxy or alternative login flow.
Key presence is the control
When a permission is active, the public key exists in the target server account. When inactive, the key is removed on the next poll.
No shared keys
Team members use their own keys. Access ends when a permission becomes inactive and the agent removes the key on its next poll.
SSH activity visibility
GrantSSH collects SSH activity reported by the agent on each server, giving teams a clear picture of who connected and when.
Events captured
- SSH login events
- SSH disconnect events
- Sudo usage events
- Failed login summaries
Lightweight by design
Activity is collected from server-side SSH events. GrantSSH does not record sessions, log commands, or proxy SSH traffic.
SSH key management without key sharing
Team members upload public keys only. GrantSSH never handles private keys or generates new ones.
Public keys only
- Team members manage their own keys
- Keys sync to servers automatically when access is active
- No private key storage or transport
Standard SSH workflow
Users connect with normal SSH clients and keys. GrantSSH does not require new tooling.
Ready for Controlled SSH Access?
Create your account and start granting time-limited SSH access in minutes.
Set up controlled SSH access in minutes.