Use case
Developer SSH offboarding without the key hunt
Know which servers a developer can access, remove permissions centrally, and stop relying on manual authorized_keys cleanup.
Offboarding gets messy when SSH keys are scattered
When SSH keys are copied directly onto servers, removing a developer's access means finding every server, every account, and every key that might belong to them.
- Keys may exist under multiple Linux accounts
- Old laptop keys may still work
- Comments in authorized_keys may be missing or wrong
- Access reviews require server-by-server checks
- Cleanup is easy to miss during rushed offboarding
Central permissions, local enforcement
- Users manage their own public keys
- Server access is defined as permissions
- Revoke access from one place
- Agent removes keys locally on the next sync
- Audit trail shows access history and activity events
Note: GrantSSH removes keys for new connections when access ends. It does not forcibly terminate already-open SSH sessions.
Related: developer SSH offboarding checklist · authorized_keys Analyzer
Make SSH offboarding less fragile
Revoke permissions centrally and let the agent remove keys from authorized_keys on each server.