SSH access without sharing private keys
Private keys sprawl into laptops, hand-offs, and forgotten drives. Here is how to give teammates SSH access without distributing a single private key.
Private SSH keys are one of the messiest secrets in IT. They spread across laptops, sit in forgotten ~/.ssh directories, and make offboarding a scavenger hunt. Getting rid of them isn’t a security win — it’s an operational win that happens to be a security win.
What “without private keys” means in practice
It doesn’t mean no cryptography. SSH still uses asymmetric cryptography to authenticate the server. What changes is who holds the private key, and how long it lives.
LynxTrac’s model: each endpoint runs an agent with its own long-lived keypair, enrolled at install time. When an operator wants shell, they authenticate with SSO to the control plane, and the control plane issues an ephemeral, scoped session token to the agent. The session token authorizes a single SSH connection for a bounded time. No long-lived private key is ever on an operator’s laptop.
What you give up
Offline access. You can’t open a session without the control plane. For air-gapped environments, traditional SSH is still the right answer. For everything else, the dependency is a net win because you want every session audit-logged anyway.
Custom SSH configs. Ports, proxy commands, and ~/.ssh/config idioms don’t apply the same way. Most teams find the simplified mental model refreshing after a week.
What you gain
- Instant revocation. Remove an operator from your IdP — access dies in seconds, not “after the next key rotation.”
- No key sprawl. You never have to hunt down who copied
prod-admin.keyto their laptop in 2023. - Scoped sessions. A session can be limited to a single host, a single command shape, or a single duration.
- Clean audit. Every session is tied to an SSO identity, not a key that could have been shared.
The migration path
Moving off shared keys doesn’t happen overnight:
- Inventory. Pull every
authorized_keysfile across your fleet. You’ll be unpleasantly surprised. - Pilot. Enroll agents on a staging fleet, flip one team to SSO-backed sessions for two weeks.
- Deprecate. Remove the old keys from
authorized_keys, keeping a break-glass root key in a vault. - Delete. After 60 days without incident, the break-glass key goes to cold storage.
The last two steps are the ones teams hesitate on. They shouldn’t. The longer the old keys exist, the more likely they are to be the path a future attacker takes.
Try it yourself
LynxTrac is free forever for 2 servers — no credit card, no sales call. Start in under 2 minutes →
Related posts
Is browser-based SSH secure?
Running an SSH session through a browser flips long-held security assumptions. Here is what actually protects the session and where new attack surfaces appear.
Browser SSH vs traditional SSH: what actually changes
Browser-based SSH sounds like a novelty until you ship it. Here's what changes day-to-day, what stays the same, and where teams stumble moving away from the terminal.
First 30 minutes of an IT incident: what great teams do
The first 30 minutes make or break MTTR. Here are the concrete moves high-performing teams make — and the anti-patterns we see everywhere else.