Use case
Temporary SSH access for contractors
Grant contractors access for a project, a day, or a fixed maintenance window without leaving their SSH keys behind afterwards.
Contractor access is easy to grant and easy to forget
Most teams handle contractor SSH access by copying a public key into authorized_keys, doing the work, and planning to clean it up later. That cleanup step is where things usually fail.
- Keys stay after the contract ends
- Access is granted wider than needed
- Nobody remembers why a key was added
- Cleanup depends on manual reminders
- Shared accounts make ownership unclear
GrantSSH makes contractor access temporary by default
- Grant access to specific server accounts
- Set fixed start and end dates
- Use working-hours windows where appropriate
- Let the agent remove keys automatically when access ends
- Keep a lightweight audit trail of access and activity
Typical workflow
- Invite the contractor
- Contractor adds their own public key
- You grant access to the required server/account
- Access follows the schedule
- GrantSSH removes the key when the window ends
No new SSH workflow for the contractor
Contractors still use their normal SSH client and their own key. GrantSSH controls whether that public key is present on the server while the permission is active. See how it works and our security model.
Related: temporary SSH access guide · stale SSH keys
Give contractors access without leaving keys behind
Set a time window, grant access to the right accounts, and let GrantSSH clean up authorized_keys when the work is done.