That is a spectacularly dumb idea. Every single remote worker is going to come in from a random IP address. None of them have static IPs, and they are trying to work from coffee shops, airports, hotels, etc. What matters is having the right private key, not what the IP address is.
That doesn’t seem like a very secure solution. IPs may change and they you have allowlisted IPs that no longer belong to your remote worker
Pretty hard to have a known IP without a static IP, genius.
Unless you suggest that they whitelist the entire ISP range which defeats the purpose. 
I don’t know enough about their offerings.
You want a static IP
A full VPS
Try Google searches for “build your own VPN with digital Ocean” and you should find some complete tutorials
Their weak point is exposing port 22. Openvpn even with the basic certs is very robust. Again, I’d argue the company needs to have an enterprise VPN but in absense of that, the next best thing would be a hardened Linux box you can VPN into and use as your jump box. It’s no more a risk than just exposing port 22 and updating the ip every time it changes.
Depending on your firewall solution you can easily do whitelisting via hostname which would work… PFSense has a DYNDNS package that allows you to do this.
spoken as someone who never exposed port 22 to the world 
It takes a bit of effort to properly sanitize ssh. Hence the crude, but rather effective, blocking everything and allowing just a few ips. But that doesn’t scale, which is exactly the pain point.
Making do with ssh isn’t the answer, imho, but rather getting a tool that lets you on the secure network without much hassle… hence vpn solution.
Tailscale would be the simplest, dumbest way of doing that. Then can go all the way to full enterprise solutions, not sure how they compare at scale.
Yes, a VPN is just one popular example. More modern techs that would do the job usually have “zero-trust” somewhere in their buzzword list.
If the architecture requires users hack together something complicated or expensive just to get their work done, it’s probably a good idea to do some re-architecting. This shouldn’t be a problem for a home network to solve.
I’m with you, there are probably 6+ sane solutions to this problem and they picked the IT equivalent of killing a spider with a roofing hammer.
Hence the ‘connect over a VPN to access the services’, but then allowing remote workers to work on confidential material from random coffee shops, airports, etc is stupid - correct PKI keys or not. “Remote work” is not the same as “work from home” as ‘home’ can be secured a lot better than a coffee shop (shoulder surfing, etc)
Different businesses have different use cases - the use case described requires a known IP address. Many ISP have “sticky” IP which don’t change whilst you have an active connection, so the user can have the same IP for months whilst their xDSL stays connected. Forced cycling of IPs every 30 mins is just an ISPs way to prevent a domestic line being used for commercial hosting purposes, and to sell you a static IP for $10/month,
Thats why you modify the users whitelisted IP entry rather than add yet another entry.
Exposing ssh to the internet is dumb, even if they sort of filter it by IP…
I don’t so that with my homelab lol…
Again I agree if the corporation was whitelisting based on url/on the firewall but a lot of companies that have single systems that have ssh as the edge device tend to only do by ip whitelists. How it’s set up probably is either a tiny company that can’t afford/won’t spend the money on a firewall that does fqdn matching or they have regulations which are in themselves outdated and require it matching by IP. I’ve ran into both those issues at a few companies.
Source: me, sme firewall engineer for 15 years.
Yeah, I was just saying that if you’re using ssh, it can be secured fairly well. VPN is the usual answer, though I’ve seen some orgs (small, cheap) use SSH.
And yeah, I have exposed port 22 to the world. For about 5 minutes. Once. Doesn’t everyone make that mistake?
Hahaha I’m going to have to start using that analogy. I’ve come across “really whips the llamas ass” and will also have to add that.
You are reaching. Working from home includes coffee shops. Nobody is “shoulder surfing.” if the data is that confidential, it must be prohibited from personal property and remote access. If it is less confidential, issue laptops with encrypted partitions. IP whitelisting is a total non-starter.
There is no conspiracy among ISPs to rotate IPs in order to sell static ones. Some change, some don’t. Personally, my Xfinity IP changes so infrequently, a couple of times a year, that I dropped my static and use FreeDNS.afraid.org.
That’s a lot of work and hard to scale. Some infinitely better solutions would be - 1. Zero trust apps, or 2. VPN
WRONG!
SSH user cert authentication. DONE.
The fact that you wrote “sort of filter it by IP”, tells me you have zero clue on how to competently secure SSH.
Exposing SSH (when appropriately configured), presents less risk surface than essentially all other alternatives.
Exposing ssh to the internet is dumb
It’s beyond dumb. It’s malicious.
Bro I’m a network/systems engineer who has also been in the field for over 15 years for INC500 companies. This is homenetworking subreddit, not a business. Results are going to be totally different.
Most home users arnt going to need to whitelist IPs…