Undo Revoke SSh Key

I accidentally revoked my SSH key. It is important that I use this key. How can I un-revoke it?

1 Like

There’s no way to un-revoke keys, but you should be able to upload the same public key again.

Thank you but I tried that before I came here. I can not upload the same public key again. The exact error is:

This key has been revoked. Choose or generate a new, unique key.

I have tried using a different name/title for the key but I get the same error.

Then no, you can’t un-revoke a key. There’s some reasonable security reasons why this isn’t possible (Mostly because it’s usually easy to create a new key).

That’s true for some users and that is what I did. But non-technical people will “revoke” a key accidentally and then they will have other keys to keep track of. The way I solved this included changing my local .ssh/config file to use a unique key for phabricator but my normal key for everything else. No non-technical person will do that but a non-technical person might accidentally revoke a key. I did it just because I wanted to push all the buttons. Someone else might do it because they think they installed the wrong key or so many other reasons.

Maybe a key should be re-installable upon admin approval?

Anyway where is the database that Phabricator is checking keys against to see if it’s already been revoked? Maybe I can manually delete this key in a DB or file in the system.

Look in the source code for the Auth application, it should be somewhere in there.

Hello!

I also needed to un-revoke a key because of an user mistake, and having said that I think it’s absolutely good that normal users can’t un-revoke keys (as @avivey says), anyway it may be frustrating to be a system administrator and feel like you do not have control over your system. There are reasonable security reasons to allow un-revoking a key.

Inspecting the auth application, as suggested, I’m able to provide a quick and dirty workaround that allow to re-upload your key, I think without breaking internal constraints:

  1. Locate the file src/applications/auth/storage/PhabricatorAuthSSHKey.php and go in an empty line like the highlighted one
  2. Add there this code:
  /**
   * Patch to allow editing a specific disabled SSH key.
   * Remove when you have finished!
   *
   * @override
   * @return boolean
   */
  public function getIsActive() {
    return parent::getIsActive() || $this->getId() == 666;
  }

Change the 666 with your key ID. You know your key ID because it’s exposed in its page URL (e.g. /auth/sshkey/view/666/).

  1. Save the file and visit the key page: now you can click on Edit SSH key
  2. Replace the Public Key field with something dummy like this and save:
ssh-rsa toMakePhabricatorHappyWhenReuploadingMyRevokedKey foo@bar
  1. Now you can safetly re-upload your revoked public key (because it was never revoked! shh!).

Then just remember to rollback your changes inside src/applications/auth/storage/PhabricatorAuthSSHKey.php.

Well there may be quicker and cleaner workarounds but I have not found the related documentation and with 30 databases and 500 tables I have not found the time to improve my solution.

@securesystemdesign Let me know if I helped or if you have found a cleaner way. I hope you was not constrained to re-generate a new public key in the meanwhile.