We have a case where a user's key is compromised and we need to remove his key. But currently, an admin is not able to do this.
Description
Description
Revisions and Commits
Revisions and Commits
Related Objects
Related Objects
Event Timeline
Comment Actions
Do you have the public key (or the private key), or do you just know which user has a compromised key but not know which key is compromised?
That is, which of these commands would you be able to run if they were available?
./bin/auth revoke-public-key /path/to/compromised_public_key.pub ./bin/auth revoke-private-key /path/to/compromised_private_key.key ./bin/auth revoke-all-keys-for-user username
Comment Actions
Until we have such a tool, you can revoke keys like this:
- All keys are stored in phabricator_auth.auth_sshkey.
- You can revoke a key by deleting the corresponding row in this table.
If you know the user or device, look up their PHID, the find keys with WHERE objectPHID = <that PHID>.
If you know the public key, you can find the row with WHERE keyBody = <public key>. Note that the column only stores the middle part of the key. If the key looks like this:
ssh-rsa AAAAbbbb...zzz== user@somehost.com
...the keyBody column will only store the "AAAbbbb...zzzz==" part. You can SELECT some keyBody values to see examples.
If you know the private key, first extract the public key like this:
ssh-keygen -y -f private.key
That should print out the public key, which you can then look up in the keyBody.
Comment Actions
We ask all users to upload their public keys via settings/panel/ssh/, so I guess the keys are stored somewhere in the database instead of on the Phabricator server. So I think I would be able to run ./bin/auth revoke-all-keys-for-user username.
Comment Actions
Here's a tentative plan for this:
- Give SSH keys real PHIDs.
- Have auth.querypublickeys expose the PHIDs.
- Implement PhabricatorDestructibleInterface on keys.
Then you could revoke keys like this:
- Find key PHIDs by using auth.querypublickeys:
- Use objectPHIDs to search for keys by user.
- Use keys to search for keys by public key text.
- Use ssh-keygen -y -f ... to extract public keys, then search for them, if you only have the private key.
- Use bin/remove destroy <phid> to destroy the key normally.
Since this rarely arises and reasonable workarounds exist (including those documented above) and this isn't really adjacent to other planned work I don't expect to get to it anytime too soon, but these steps are straightforward.
If you or anyone else wants to send us a patch: