Skip to main content

How to enforce least-privilege SSH access across your team

Least-privilege SSH access is one of the most effective security controls available to engineering teams. Here's what it actually looks like in practice — and why most teams aren't doing it properly.

4 min read
How to enforce least-privilege SSH access across your team

The principle of least privilege is simple: every person and system should have access to exactly what they need, and nothing more. Applied to SSH access, it means no standing access to servers a person doesn't actively use, no shared keys, no "just in case" permissions that linger after a project ends.

In practice, most engineering teams fall well short of this. Not through negligence, but because SSH access is easy to grant and easy to forget. The gap between the access model you intend and the one that actually exists in your authorized_keys files grows silently, one exception at a time.

Access should be scoped to role, not seniority

The most common mistake teams make is treating SSH access as a privilege that scales with seniority — juniors get staging, seniors get production. This conflates trust with need.

A better model scopes access to what each person's current work actually requires. A senior engineer working exclusively on the API service has no operational need to access the database servers directly. A contractor brought in to work on the frontend has no need to touch infrastructure at all. Seniority might inform the approval process, but it shouldn't determine the default scope.

Define access tiers based on function, not title. Review them when roles change, not just when people join or leave.

Keys should be individual and attributable

Shared SSH keys are a security anti-pattern with no legitimate justification in a team environment. When a key is shared, you lose the ability to attribute access — you can't answer "who logged in to that server at 2am" with anything more specific than "someone with the shared key."

Every person should have their own key pair, registered against their identity. This is the foundation of any meaningful audit trail, and it's a hard requirement for most compliance frameworks. DataraSSH enforces this by design — every key in the system is attributed to a specific person, which makes access reviews and offboarding straightforward rather than a manual forensics exercise.

Offboarding must be immediate and complete

The single most common source of unauthorised SSH access isn't external attackers — it's former employees and contractors whose keys were never removed. Standard offboarding checklists cover SSO, email, and Slack. SSH keys are routinely missed because there's no central record of what servers a person had access to.

Best practice is to treat SSH key revocation as a first-class step in any offboarding process, with a verified completion check. That means knowing, at the moment someone leaves, exactly which servers their key is on — not reconstructing it afterward by grepping through servers one by one.

Female IT engineer reviewing server racks with a laptop in a data centre

Temporary access should expire automatically

For contractors, incident responders, or anyone needing short-term access to a system they don't normally touch, time-limited access is significantly safer than access that requires manual revocation. Grant access with an explicit expiry, and treat any extension as a fresh approval rather than a default continuation.

This is one of the areas where tooling makes the biggest practical difference. Manual expiry relies on someone remembering to follow up — and that follow-up reliably gets deprioritised when there's other work to do.

Regular audits catch what process misses

Even a well-designed access model drifts over time. Role changes, project handovers, and exceptions granted under pressure all create gaps between the intended model and the actual state of your infrastructure.

A quarterly access review — comparing current key attribution against current roles — is the minimum viable practice. It doesn't need to be elaborate. The goal is simply to answer: does every active key belong to a current team member, and does their access still match what their role requires? Any key that fails either check gets reviewed and either justified or revoked.

With DataraSSH, this review is a visibility exercise rather than a manual audit — the current state is already mapped, so the review is a matter of checking it against your role model rather than reconstructing it from scratch.

The goal is a system, not a one-time cleanup

Most teams approach least-privilege SSH access as a remediation project: do the audit, clean up the keys, move on. Six months later the same problems have accumulated again.

The difference between teams that maintain good access hygiene and those that don't isn't the quality of their initial cleanup — it's whether they have a system that keeps access scoped correctly as the team and infrastructure evolve. Defined roles, individual keys, structured onboarding and offboarding, regular reviews. These aren't complex practices. They just need to be consistent.

DataraSSH was built to make that process practical — not a one-time cleanup, but an ongoing system. [Try DataraSSH](https://datara.studio) and run your first access audit in under ten minutes.