HowTo: Revoke OpenSSH Keys and Disable User Access

Author: Vivek Gite Last updated: November 6, 2012 3 comments
Many users are using ssh to log into a remote machine and append the indicated identity file to machine’s ~/.ssh/authorized_keys file. I recently moved one of my server, and I would like to revoke openssh keys and disable user access under Linux operating systems. How do I revoke OpenSSH keys under Unix or Linux operating systems?

Tutorial details
Difficulty Easy (rss)
Root privileges Yes
Requirements OpenSSH client
Time N/A
The default ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2 file lists and stores the public keys (DSA/ECDSA/RSA) that can be used for logging for any user using public key authentication. Each line of the file contains one key. You can simply delete the key from this file, and the user can not access the server using the ssh client. You also need to disable or lock an user account using passwd command.

Example

In this example, remove vivek@server1.cyberciti.biz from ~/.ssh/authorized_keys and lock the user account too:
# cd /home/vivek
# sed -i '/ vivek@server1.cyberciti.biz$/d' ~/.ssh/authorized_keys
# passwd -l vivek

A note about long term solution

If your setup has hundreds of users, tens of thousands, thousands of accounts for OpenSSH, try OpenSSH with LDAP. Use LDAP for key storage management. You can add, remove, and revoke keys. However, this approach adds levels of complexity to a solution, and learning curve can be very complex.

Another option is to store shared home directories on an NFS server so that one can easily add or delete the keys.


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 3 comments so far... add one

Related Tutorials
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
3 comments… add one
  • Vijay Oct 19, 2012 @ 13:36

    We can use any configuration management tools like Puppet etc to get this , right ?

    Reply Link
    • Jonathan Oct 19, 2012 @ 22:44

      Sure that would work as well.

      Keep in mind that, when using Puppet, etc… most schemes will wipe out any user generated keys whenever the config management system does a check. This won’t prevent a user from creating their own keys for a temporary basis, but will wipe out any changes they make to the file.

      For a bunch of networked servers, I’d rather recommend one of the two following approaches :
      1. Store SSH keys in LDAP ( Openssh servers generally will require LPK patch set ).
      -or-
      2. Provide CA signed certificates to your users and keep a certificate revocation list to centrally disable certain certificates.

      Reply Link
  • JJ Asghar Nov 12, 2012 @ 22:15

    Any good links on how to do the OpenSSH+LDAP configuration? I’ve been kinda overwhelmed about the information on it. I’m looking from a “i have 12 machines with keys installed on all, then this is how you spin up a main LDAP machine and how to import the keys to it, and then this is how the 12 machines call back to the main LDAP.”

    Thanks!

    Reply Link

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @ webmaster@cyberciti.biz

Next FAQ:

Previous FAQ:

FEATURED ARTICLES

Sign up for my newsletter