7

On my server, I have several public SSH keys in ~/.ssh/authorized_keys.

I would like to temporarily block/disallow/deactivate one key. I want to prevent the user to log in using this key now. but I might want to reanable it later (i.e. I don't want to delete the key entirely).

What is the correct/recommended way to do it?

Shall I just put a comment # at the beginning of the line in authorized_keys, in front of the key?

To clarify, I don't want to block a specific user. One user account is shared among several people, each person connecting with his own SSH key. I want to block one specific SSH key.

Martin Vegter
  • 69
  • 66
  • 195
  • 326

2 Answers2

11

You could prefix the key with a forced command that tells the user what's going on. For example:

restrict,command="printf 'Your key has been disabled\n'" ssh-rsa AAAAB2...19Q== [email protected]

or for Openssh before v7.2:

command="printf 'Your key has been disabled\n'",no-pty,no-port-forwarding ssh-rsa AAAAB2...19Q== [email protected]

Then they get:

$ ssh servername
PTY allocation request failed on channel 0
Your key has been disabled
Connection to servername closed.
jezzaaaa
  • 11
  • 2
Jez
  • 164
  • 4
7

Yes you can just put # (or any other character, as long as the initial entry e.g. ssh-rsa is no longer valid), before the relevant line.

If you do that, and the system allows for plain text password logins as well, the user will be prompted for a password to login. So you might want to check that there is no (known) password associates with the account.

Anthon
  • 78,313
  • 42
  • 165
  • 222