I am investigating possible solutions for our company server access. The company distributes linux servers, some end up having public IP's accesses others are isolated on private networks. The problem is controlling our SSH access to these servers. (The client has no access)

Our company engineers need access to these servers for maintenance etc. However, if and when an engineer leaves the company we need a way of preventing them from gaining access to these servers.

Standard Key-pairs are not really an option because we can't go round thousands of private networked servers removing and adding key-pairs every time an engineer leaves or is hired. Likewise with passwords. Restricting access by IP isn't a realistic option as the serves need to be accessed from different origins depending on the clients network policies.

This got me thinking about about some form of dynamic SSH authentication like using an HMAC in REST applications. Basically an engineer accesses a central server that generates a set of credentials that are valid for some arbitrary number seconds for a specific server based on a signature. That way when an engineer leaves the company we can just revoke their access to the central signature generating server.

Can anybody see a problem with this approach? Does something like this already exist or am I going to have to write this?