Guide

Temporary SSH access: how to avoid permanent keys for short-lived work

Practical patterns for granting SSH access that actually ends when the work does.

When temporary SSH access is useful

  • Contractors on a fixed project timeline
  • Incident response when someone needs shell access quickly
  • Maintenance windows with a known start and end
  • On-call coverage for a specific shift

The manual way

The usual workflow: add a public key to authorized_keys, set a calendar reminder, remove the key later. It works for one server and one person once in a while.

Why reminders fail

Reminders slip during busy weeks. The person who added the key leaves the team. Tickets get closed before cleanup happens. Emergency access feels urgent; revocation feels optional. Over months, temporary grants become permanent.

What good temporary access needs

Every grant should answer:

  • Who — which person or role
  • Server and account — which machine and Linux user
  • Reason — project, incident, or maintenance context
  • Start time — when access becomes valid
  • End time — when access should stop

Example access windows

  • Contractor access for 7 days — start Monday 09:00, end the following Monday 17:00
  • Maintenance window — Saturday 09:00–17:00 for deploy work only
  • Incident access for 2 hours — immediate grant, automatic expiry when the bridge closes

Cleanup and audit requirements

Record who approved access and when it should end. After expiry, verify the key is gone from authorized_keys. Lightweight activity events help you reconstruct who had access during an incident review.

How GrantSSH handles time-bound permissions

Permissions have schedules. The open-source agent syncs authorized_keys locally — keys appear while access is active and are removed when it ends (typically within 30–120 seconds on the next sync). Users keep their normal SSH workflow; no bastion or proxy sits in the path. Existing sessions are not forcibly terminated when access expires.

Related: on-call SSH access · how GrantSSH works

Grant temporary SSH access without calendar reminders

Set start and end times on permissions and let the agent keep authorized_keys clean automatically.