2

A while ago, when learning about the existence of ECDSA-SK keys, I have created such a key and added it to my github account.

Now I am trying to remove it, but it simply does not show up in the list of keys. The list only shows my "regular" SSH key, but not the SK key.

enter image description here

However, the SK key works just fine. I can push/pull with it (even to/from private repos), and when trying to authenticate with it it shows as connected to my github account:

$ ssh -T -ai ~/.ssh/id_rsa.sk git@github.com
Hi bogd! You've successfully authenticated, but GitHub does not provide shell access.

Also, if I try to add it to my account, github tells me "the key is already in use".

So my question is - where do I need to go to remove this key??

Bogd
  • 673
  • 9
  • 16
  • Did you verify that the key is actually not the one that is displayed in the GitHub web interface? Try to delete the (public) key on GitHub and see whether you can still execute Git SSH operations. – Matt Jul 31 '21 at 12:41
  • I can guarantee that the key displayed in the web interface is not the SK key - I am actively using the "regular" RSA key on other machines, where I do not have a Yubikey available. Also, the SHA256 hashes are different. – Bogd Aug 02 '21 at 14:34

1 Answers1

1

From GitHub announcement in May 2021, this is what you should see:

sk entry

If no "skey" entry is listed:

  • check if it would be listed when you have your YubiKey in place
  • check if you can list that key through GitHub API (you would need a token with read:public_key scope)
  • contact GitHub support to investigate.

The OP Bogd reports in the comments the SK (Security Key) was listed as a Deploy Key

Deploy Key

The "-i" argument to SSH only adds the specified key to the list of keys the client will try.

Since I normally always have my RSA key loaded in the agent, it is likely that key was tried first, and that was why the command output did not list the repository.

The command should have been:

ssh -v -o "IdentitiesOnly=yes" -i ~/.ssh/id_rsa.sk git@github.com'
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Thank you. I did contact github support, and it appears that the key was listed as a deploy key for a specific repo. Which was true, but according to the documentation, this should have shown up in the output of the SSH command... ( https://docs.github.com/en/github/authenticating-to-github/troubleshooting-ssh/error-key-already-in-use ). Waiting for an update from support to see why this did not happen. – Bogd Aug 04 '21 at 11:55
  • @Bogd Thank you for this feedback. I have included your comment in the answer for more visibility. – VonC Aug 04 '21 at 11:58
  • Got the reply from support - the "-i" argument to SSH only adds the specified key to the list of keys the client will try. Since I normally always have my RSA key loaded in the agent, it is likely that key was tried first, and that was why the command output did not list the repo. The command should have been 'ssh -v -o "IdentitiesOnly=yes" -i ~/.ssh/id_rsa.sk git@github.com'. They will update the documentation, but until then maybe you can add this to your answer, for other people who stumble upon the question? – Bogd Aug 05 '21 at 06:49
  • @Bogd Very interesting feedback. I have included your comment again in the answer. (no need to repeat it in the question, which is made for... asking question) – VonC Aug 05 '21 at 07:03
  • I felt that was important enough to mention there, in case someone facing the same issue wanted to troubleshoot :) . Since you added it to the answer, I have removed it from the original question. Thank you! – Bogd Aug 06 '21 at 12:35
  • @Bogd No problem. Thank yo for the GitHub support feedback. Always interesting to hear from them. – VonC Aug 06 '21 at 12:37