Search code examples
gitlabgitlab-apigitlab-ce

Gitlab Unable to delete ssh key. Not in UI but still works

version Gitlab CE 13.3.5

We have a problem where a user had an old SSH key, which they no longer use. The user wants to delete the SSH key. But, it is not available in the UI for the users account.

When we use the following API to find the users ssh keys it is not there: https://gitlab.server/api/v4/users/someuser/keys

However, if I were to find loop through all SSH keys registered with Gitlab I can find it: https://gitlab.server/api/v4/users/keys/$KeyIdNumber

How can I delete the SSH key so it is not usable. This is a potential security risk is the private key were to be leaked then there would be no way to prevent access without deleting the user. As a test, when blocking the user the SSH key still works.

There appears no way to delete keys via the API.

Solution

  • Since the key API has only "GET" operation, I would ask a GitLab admin (of your GitLab on-premise server) to:

    • open the associated database and
    • remove that entry manually.

    Check the database settings.

    I think I will just need to make a clarification. This was the answer that led me to the final solution, mainly because I am too much afraid to delete entries from a DB in live:

    The following query helped me find the entry:

    select * from keys where id = 27;

    if this was actually an issue with the SSH key, then one can just update the expiration_at column with the following query to expire the key:

    UPDATE keys SET expires_at = '2020-09-17 08:42:00+02' WHERE id = 27 RETURNING *;

    The output actually showed me that the key "type" was a "DeployKey" it is essentially the same as an SSH Key but it is tied to the repos and does not obey the same expiration rules (although deploy tokens do)

    This is a difficult thing to find in the UI and the way I did it was to to query every project for their "deploy_keys":

    ...api/v4/projects/<ID>/deploy_keys

    Be warned that the key can be used in multiple repos. If you "disable" it from one it will still be available in the other repos but you will not know which projects. Luckily, it is possible to open the other repos which use the same key as long as you do not disable the Key first (this is what I did and wasted more time to find another project where the Key existed).