Categories
Uncategorized

How to revoke specific key used to login with OpenSSH

Revoke specific key used to perform key-based login with OpenSSH utilizing simple public key revocation list or OpenSSH Key Revocation List (KRL).

OpenSSH configuration

Create empty revocation list file.

$ sudo touch /etc/ssh/sshd_revoked_keys
It is important to perform this first or risk that public key authentication will be refused for every user.

Edit sshd_config configuration file to include revocation list.

$ vim /etc/ssh/sshd_config
[...]
RevokedKeys /etc/ssh/sshd_revoked_keys
[...]

Reload OpenSSH server.

$ sudo systemctl reload ssh

Inspect auth.log log file in case of trouble as missing revocation list file can be easily spotted.

$ tail /var/log/auth.log
[...]
Sep 16 23:39:02 buster sshd[909]: error: Error checking authentication key RSA SHA256:dzfaHFy/dUBtH03VtjnZABbVDxlzEvxKR/a3eOgqvZQ in revoked keys file /etc/ssh/sshd_revoked_keys: No such file or directory
[...]

Simple public key revocation list

This is a straight solution as you need to store public keys in revocation list file.

Display public key fingerprint.

$ ssh-keygen -l -f sshkey.pub
2048 SHA256:dzfaHFy/dUBtH03VtjnZABbVDxlzEvxKR/a3eOgqvZQ no comment (RSA)

Append public key to the revocation list file.

$ cat sshkey.pub | sudo tee -a /etc/ssh/sshd_revoked_keys

This key will be revoked from now on, every attempt to use this key will be logged in auth.log log file.

$ tail /var/log/auth.log
[...]
Sep 17 00:00:32 buster sshd[977]: error: Authentication key RSA SHA256:dzfaHFy/dUBtH03VtjnZABbVDxlzEvxKR/a3eOgqvZQ revoked by file /etc/ssh/sshd_revoked_keys
[...]

OpenSSH Key Revocation List

Use OpenSSH Key Revocation List (KRL) custom binary format to manage revoked keys, so the resulting file is very small.

Create empty Key Revocation List (KRL) file.

$ sudo ssh-keygen -k -f /etc/ssh/sshd_revoked_keys

Display public key fingerprint.

$ ssh-keygen -l -f sshkey.pub
2048 SHA256:dzfaHFy/dUBtH03VtjnZABbVDxlzEvxKR/a3eOgqvZQ no comment (RSA)

Check if specified key is revoked.

$ sudo ssh-keygen -Q -f /etc/ssh/sshd_revoked_keys sshkey.pub
sshkey.pub (sshkey.pub): ok

Revoke this specific key.

$ sudo ssh-keygen -k -u -f /etc/ssh/sshd_revoked_keys sshkey.pub
Revoking from sshkey.pub

Verify that key was revoked.

$ sudo ssh-keygen -Q -f /etc/ssh/sshd_revoked_keys sshkey.pub
sshkey.pub (sshkey.pub): REVOKED

This key will be revoked from now on, every attempt to use this key will be logged in auth.log log file.

$ tail /var/log/auth.log
[...]
Sep 17 00:15:33 buster sshd[1197]: error: Authentication key RSA SHA256:dzfaHFy/dUBtH03VtjnZABbVDxlzEvxKR/a3eOgqvZQ revoked by file /etc/ssh/sshd_revoked_keys
[...]

Additional notes

Read sshd_config, ssh-keygen manual pages and inspect OpenSSH Key Revocation List format for more information.

I didn’t used dedicated certificates as this is a topic for another blog post.