Guide
Developer SSH offboarding checklist
Reduce the chance that a departed developer's SSH keys still work somewhere on your infrastructure.
Why SSH offboarding is easy to miss
HR and app access get process. SSH keys on individual servers often do not — especially when keys were added manually over years, under multiple Linux accounts, or during rushed departures.
Before the developer leaves
- Confirm which servers the developer can access
- Confirm which Linux accounts they use (
deploy, personal, shared) - List active temporary access windows tied to them
- Identify deploy keys and automation they own or created
On final day
- Revoke application and VPN access per your normal process
- Remove or disable personal server accounts where appropriate
- Remove their public keys from
authorized_keyson each server - Review shared accounts for their keys
- Rotate shared credentials where they had knowledge
After departure
- Review deploy keys and CI/CD keys they may have added
- Confirm no temporary access windows remain active
- Spot-check
authorized_keyswith fingerprints if comments are unclear - Document the access removal in your audit notes
Server accounts to review
Personal Unix accounts, deploy / ubuntu / ec2-user shared login users, root if keys were ever added there, and any break-glass or emergency accounts.
authorized_keys files to inspect
sudo find /home /root -path '*/.ssh/authorized_keys' -type f -exec grep -l 'COMMENT_OR_EMAIL' {} \;
Replace COMMENT_OR_EMAIL with a known comment or email fragment from their keys.
Deploy keys and CI/CD keys
Check Git hosting deploy keys, build pipelines, and configuration management repos. SSH access for automation is still SSH access.
How to reduce next-time cleanup
Centralise permissions so offboarding is revoking access in one place rather than hunting every file. Pair that with time-bound grants for contractors and incident access so keys expire by default.
Related: developer offboarding use case · authorized_keys Analyzer
Centralise SSH permissions so offboarding does not depend on hunting every authorized_keys file
Revoke access from one place and let the agent remove keys locally on the next sync.