Use case

Developer SSH offboarding without the key hunt

Know which servers a developer can access, remove permissions centrally, and stop relying on manual authorized_keys cleanup.

Offboarding gets messy when SSH keys are scattered

When SSH keys are copied directly onto servers, removing a developer's access means finding every server, every account, and every key that might belong to them.

  • Keys may exist under multiple Linux accounts
  • Old laptop keys may still work
  • Comments in authorized_keys may be missing or wrong
  • Access reviews require server-by-server checks
  • Cleanup is easy to miss during rushed offboarding

Central permissions, local enforcement

  • Users manage their own public keys
  • Server access is defined as permissions
  • Revoke access from one place
  • Agent removes keys locally on the next sync
  • Audit trail shows access history and activity events

Note: GrantSSH removes keys for new connections when access ends. It does not forcibly terminate already-open SSH sessions.

Related: developer SSH offboarding checklist · authorized_keys Analyzer

Make SSH offboarding less fragile

Revoke permissions centrally and let the agent remove keys from authorized_keys on each server.