Delete SSH Keys

Posted on in Categories last updated June 24, 2010

One my user leaves the office and I’d like to disable her access to our UNIX / Linux system. How do I delete ssh key from the UNIX systems so that user can not log in?

The first step is to disable user login using command as follows:

Linux Lock An Account

# passwd -l userName
# passwd -l vivek

FreeBSD Local An Account

# pw lock userName
# pw local vivek

Solaris / HP-UX UNIX Lock An Account

# passwd -l userName
# passwd -l vivek

Remove SSH Keys

$HOME/.ssh/ stores all required keys. Simply rename the directory or delete the directory:
# mv /home/vivek/.ssh /home/vivek/nosshlogin
OR
# rm -rf /home/vivek/.ssh
For remote server edit $HOME/.ssh/authorized_keys or $HOME/.ssh/authorized_keys2 file and remove public key. This will delete login from home computer into your server. Finally, you can always delete user from your system using the pw (FreeBSD) or userdel (Linux / UNIX) command.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

5 comment

  1. Puppet rocks.
    Change ‘ensure => present’ to ‘ensure => absent’.
    I can remove ssh access to hundreds of machines with one tweak.

  2. I’ve been out of the loop on disabling accounts for a while. What has changed?

    1. The user continues to receive e-mail. Any rules could still be executed.
    2. cron and at jobs still run.
    3. I can’t remember if sudo commands configured as NOPASSWD could still be run.

    Short of deleting the user, we always prepended an additional character to the name if the user might return. That broke the e-mail/cron connection. I don’t know enough about Puppet or cfengine to know if changing the username in this way is possible.

  3. we also may edit /etc/ssh/sshd_config and by addid the line:
    DenyUsers [user name]
    we may disable the possibility of logining by this user.

Comments are closed.