Features

Everything you need to control SSH access, and nothing you do not

GrantSSH is focused on permission-based access, clear schedules, and auditable activity. The features below show how teams keep access tight without changing how SSH works.

Permission model

Tie a team member to a server account with a schedule. Access requests include a reason for approval.

Local enforcement

The open-source agent updates authorized keys on each server.

Audit visibility

SSH logins, disconnects, sudo use, and failed login summaries from your servers.

Permission-based access control

Access is defined as explicit permissions. Each permission maps a team member to a specific server account on a specific server, with a schedule if needed.

Granular by server account

Permissions are granted at the OS user level, such as deploy or ubuntu.

Member groups reduce repetition

Grant access to a group of team members at once. Permissions are still defined per server and server account.

Roles match responsibility

Members request access, managers approve, and owners manage membership. Each role has clear boundaries.

Approval workflow

Requests can be approved, rejected, or adjusted before a permission is created.

Scheduling that keeps access tight

Permissions can be permanent, date-based, or time-windowed. Access follows the schedule automatically.

Permanent access

For long-term roles that require ongoing SSH access.

Date range access

Grant access for a defined start and end date, such as a project or engagement.

Time windows

Allow access only during specific days and hours, such as on-call rotations.

Enforcement happens on your servers

The open-source agent runs on each server and keeps authorized keys aligned with the current permissions. There is no SSH proxy or alternative login flow.

Key presence is the control

When a permission is active, the public key exists in the target server account. When inactive, the key is removed on the next poll.

No shared keys

Team members use their own keys. Access ends when a permission becomes inactive and the agent removes the key on its next poll.

SSH activity visibility

GrantSSH collects SSH activity reported by the agent on each server, giving teams a clear picture of who connected and when.

Events captured

  • SSH login events
  • SSH disconnect events
  • Sudo usage events
  • Failed login summaries

Lightweight by design

Activity is collected from server-side SSH events. GrantSSH does not record sessions, log commands, or proxy SSH traffic.

SSH key management without key sharing

Team members upload public keys only. GrantSSH never handles private keys or generates new ones.

Public keys only

  • Team members manage their own keys
  • Keys sync to servers automatically when access is active
  • No private key storage or transport

Standard SSH workflow

Users connect with normal SSH clients and keys. GrantSSH does not require new tooling.

Ready for Controlled SSH Access?

Create your account and start granting time-limited SSH access in minutes.

Set up controlled SSH access in minutes.