What's Actually Happening
Your SSH key is rejected during authentication because it has been added to a revocation list on the server. SSH key revocation is a security mechanism that allows administrators to invalidate specific keys, key certificates, or key IDs without modifying the authorized_keys file for each user.
The Error You'll See
When attempting to connect:
Permission denied (publickey).With verbose output:
debug1: Offering public key: /home/user/.ssh/id_rsa RSA SHA256:abc123...
debug1: Server accepts key: pkalg rsa-sha2-256 blen 279
debug1: try_pubkey_path: checking in /home/user/.ssh/authorized_keys
Revoked key
debug1: No more authentication methods to try.
Permission denied (publickey).In server logs (/var/log/auth.log or /var/log/secure):
sshd[1234]: error: authentication with key /home/user/.ssh/authorized_keys:1: revoked
sshd[1234]: Revoked key
sshd[1234]: Failed publickey for username from 192.168.1.50 port 54321 ssh2Why This Happens
SSH keys get revoked when:
- An administrator explicitly revoked the key using a RevokedKeys file
- The key was compromised and added to a revocation list
- A certificate authority revoked a key certificate
- The key appears in a KeyRevocationList (KRL) file
- An organization's security policy automatically revokes certain keys
Step 1: Check if RevokedKeys is Configured
Look for revocation configuration on the server:
sudo grep -i revoked /etc/ssh/sshd_configYou might see:
RevokedKeys /etc/ssh/revoked_keysOr for KRL:
RevokedKeys /etc/ssh/krlStep 2: Identify the Revoked Key
Find your public key fingerprint:
ssh-keygen -lf ~/.ssh/id_rsa.pubCompare with the revoked keys file:
sudo cat /etc/ssh/revoked_keysFor KRL files, list revoked keys:
ssh-keygen -Qf /etc/ssh/krlStep 3: Check Certificate Revocation
If using certificates, check if your certificate was revoked:
```bash # Show certificate details ssh-keygen -Lf ~/.ssh/id_rsa-cert.pub
# Check if revoked in KRL ssh-keygen -Qf /etc/ssh/krl ~/.ssh/id_rsa-cert.pub ```
Step 4: Remove Key from Revocation List (If Authorized)
If you have administrative access and need to un-revoke the key:
For a plain text revoked_keys file, remove the line containing the key:
```bash # Find the line with your key grep -n "$(ssh-keygen -lf ~/.ssh/id_rsa.pub | awk '{print $2}')" /etc/ssh/revoked_keys
# Edit the file to remove the line sudo nano /etc/ssh/revoked_keys ```
For KRL files, you must regenerate the KRL without the revoked key (you cannot remove from a KRL):
# Create new KRL excluding the key
ssh-keygen -kf /etc/ssh/krl $(cat /etc/ssh/authorized_keys_to_keep/*.pub)Step 5: Generate a New Key Pair
If the key was legitimately revoked and cannot be restored, generate a new key:
ssh-keygen -t ed25519 -C "your_email@example.com" -f ~/.ssh/id_ed25519_newAdd the new public key to the server:
ssh-copy-id -i ~/.ssh/id_ed25519_new.pub username@serverUpdate your SSH config to use the new key:
Host server
IdentityFile ~/.ssh/id_ed25519_newStep 6: Update Authorized Keys
If the old key is still in authorized_keys on the server, remove it:
```bash # Remove the old key from authorized_keys ssh-keygen -R ~/.ssh/authorized_keys.old_key_fingerprint
# Or manually edit nano ~/.ssh/authorized_keys ```
Step 7: Contact Administrator
If you don't have administrative access, contact the system administrator: - Request to know why the key was revoked - Ask if the key can be un-revoked - Submit the new public key for authorization
Step 8: Restart SSH Service (After Changes)
If you modified the revocation list:
sudo systemctl restart sshdVerify the Fix
Test the connection:
ssh -v username@serverWith a revoked key, you'll still see "Revoked key". With a new authorized key:
debug1: Authentication succeeded (publickey).For administrators, verify the revocation list status:
```bash # Check KRL ssh-keygen -Qf /etc/ssh/krl ~/.ssh/test_key.pub
# Check plain file grep -f ~/.ssh/id_rsa.pub /etc/ssh/revoked_keys ```
A successful connection without "Revoked key" in the output confirms the fix.
For organizations, implement proper key management to track why keys are revoked and have a process for key rotation and re-authorization.