Delete SSH Keys

in Categories last updated June 24, 2010

One my user leaves the office and I’d like to disable her access to our UNIX / Linux system. How do I delete ssh key from the UNIX systems so that user can not log in?

The first step is to disable user login using command as follows:

Linux Lock An Account

# passwd -l userName
# passwd -l vivek

FreeBSD Local An Account

# pw lock userName
# pw local vivek

Solaris / HP-UX UNIX Lock An Account

# passwd -l userName
# passwd -l vivek

Remove SSH Keys

$HOME/.ssh/ stores all required keys. Simply rename the directory or delete the directory:
# mv /home/vivek/.ssh /home/vivek/nosshlogin
# rm -rf /home/vivek/.ssh
For remote server edit $HOME/.ssh/authorized_keys or $HOME/.ssh/authorized_keys2 file and remove public key. This will delete login from home computer into your server. Finally, you can always delete user from your system using the pw (FreeBSD) or userdel (Linux / UNIX) command.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Share this on (or read 5 comments/add one below):

5 comment

  1. Puppet rocks.
    Change ‘ensure => present’ to ‘ensure => absent’.
    I can remove ssh access to hundreds of machines with one tweak.

  2. I’ve been out of the loop on disabling accounts for a while. What has changed?

    1. The user continues to receive e-mail. Any rules could still be executed.
    2. cron and at jobs still run.
    3. I can’t remember if sudo commands configured as NOPASSWD could still be run.

    Short of deleting the user, we always prepended an additional character to the name if the user might return. That broke the e-mail/cron connection. I don’t know enough about Puppet or cfengine to know if changing the username in this way is possible.

  3. we also may edit /etc/ssh/sshd_config and by addid the line:
    DenyUsers [user name]
    we may disable the possibility of logining by this user.

    Have a question? Post it on our forum!