Use case

Temporary SSH access for contractors

Grant contractors access for a project, a day, or a fixed maintenance window without leaving their SSH keys behind afterwards.

Contractor access is easy to grant and easy to forget

Most teams handle contractor SSH access by copying a public key into authorized_keys, doing the work, and planning to clean it up later. That cleanup step is where things usually fail.

  • Keys stay after the contract ends
  • Access is granted wider than needed
  • Nobody remembers why a key was added
  • Cleanup depends on manual reminders
  • Shared accounts make ownership unclear

GrantSSH makes contractor access temporary by default

  • Grant access to specific server accounts
  • Set fixed start and end dates
  • Use working-hours windows where appropriate
  • Let the agent remove keys automatically when access ends
  • Keep a lightweight audit trail of access and activity

Typical workflow

  1. Invite the contractor
  2. Contractor adds their own public key
  3. You grant access to the required server/account
  4. Access follows the schedule
  5. GrantSSH removes the key when the window ends

No new SSH workflow for the contractor

Contractors still use their normal SSH client and their own key. GrantSSH controls whether that public key is present on the server while the permission is active. See how it works and our security model.

Related: temporary SSH access guide · stale SSH keys

Give contractors access without leaving keys behind

Set a time window, grant access to the right accounts, and let GrantSSH clean up authorized_keys when the work is done.