Another option that you might want to look at is putting up an OpenBSD gateway running authpf (see <http://www.openbsd.org/faq/pf/authpf.html>). The model there is an outside user has to open up an ssh shell to the authpf gateway before they are allowed to access services inside the network. If their gateway shell goes away, so does their access. If you require password / secure token / whatever auth on the gateway, then you do that once and then you can use ssh-key auth to get to your inside machines as much as you'd like. Authpf can be used to allow/restrict access to arbitrary network services; it's not limited to just ssh. The shell the user gets on the authpf gateway is not usable for anything else; it just sits there until the user logs out, so it can't be used to crack the gateway or internal machines. Devin