OpenSSH has broader key revocation than I thought
A while back, OpenSSH gained support for doing host and user authentication through a local Certificate Authority. Instead of directly trusting public keys, you configured a CA (or more than one) and then trusted anything signed by that CA. For user keys, this has the usual weakness of the basic CA model; for host keys, it's probably an improvement in practice but I'd like to know what happens if you get handed a new CA-signed host key for a host that you already saw one for.
If you're sensible, when you add Certificate Authorities to a security system you also add key revocation. So I wasn't particularly surprised to read in passing that OpenSSH supported key revocation, and I didn't think anything more about it. For years, I've assumed that OpenSSH's key revocation was intended for and limited to CA-signed keys. As I discovered recently when I actually looked at the relevant sections of the manual pages, this is not the case. While revoking keys appears to have been added to OpenSSH along with CA signed keys in OpenSSH 5.4 (released in early 2010), they were never limited to revoking only those keys. OpenSSH key revocation can be used to block any SSH key, and it's been that way from the beginning.
(For instance, the sshd_config(5) manpage is very specific on this,
RevokedKeys that 'keys listed in this file will be
refused for public key authentication'. Any keys. And in fact it
cautions you that if this file is unreadable, all keys will be
Keys to be revoked can be specified in a variety of ways, per the
manpage. The most straightforward one is simply one public key per
line, exactly as you'd put them in
authorized_keys (and perhaps
that's where you get them from). For CA-signed keys, you have a
couple of options spelled out in ssh-keygen(1)'s 'Key Revocation
Lists'. OpenSSH 7.9 adds
some additional useful options, but that's another entry (especially
since it will probably be a few years before it's relevant to us;
Ubuntu 18.04 is probably unlikely to update their version, much
With that said, I'm not sure there's much use for key revocation
in our particular environment because people have only a single
home directory and thus a single
authorized_keys to maintain.
If a key is compromised, it just gets removed.
(I'm assuming that attackers won't reuse keys that they add to
authorized_keys and so there's no point in blocking
further uses of such a key. This may be wrong.)
Comments on this page:Written on 31 October 2018.