Page MenuHomePhorge
Create Task
Maniphest T15692

Allow to see your own public revoked key
Closed, ResolvedPublic
Actions

Description

We have probably a minor bug in the "Revoke SSH Key" workflow.

After you Revoke an SSH key, you are still able to see it from SettingsSSH Public KeysHistory but you are not able anymore to see its content, so it's nearly impossible for the user to double-check and/or do self-audit.

The only way to see the SSH key is to Edit it, but, if revoked, you cannot indeed.

NOTE: Technically, having an "Un-Revoke" button would help, but it's indeed not an option and should not be proposed as solution, since there is a reason if an user revoked a key, and it should not be easily un-revokable.

Public SSH keys are supposed to be public indeed, so, if an user revokes a key, it should just continue to be visible to that user somewhere, instead of becoming completely "private".

This is probably currently a minor UX problem related to this page:

Revoked SSH key.png (497×1 px, 49 KB)

Proposed solution

From the above screenshot, just always show also the public SSH key, and not just the name / comment.

So, when Revoked, you can still see it for an appreciated extra self-audit.

Revisions and Commits

rP Phorge
D25495rP549a26d0879c Auth SSH Details: show Public Key (not just Type)

Event Timeline

valerio.bozzolan created this task.Dec 13 2023, 16:04
valerio.bozzolan triaged this task as Normal priority.
valerio.bozzolan created this object in space S1 Public.
Herald added subscribers: Cigaryno, Matthew, chris, tobiaswiese. · View Herald TranscriptDec 13 2023, 16:04
valerio.bozzolan added a revision: D25495: Auth SSH Details: show Public Key (not just Type).Dec 13 2023, 16:52
avivey subscribed.Dec 14 2023, 09:03

Since we already show the full (public) key when editing, then I don't see a reason not to show it after it's revoked.

I guess there's some risk of users accidently pasting their private key in there and then trying to hide it, but that should be handled by (1) admin deleting the object from the cli and (2) the user making sure to consider the key compromised anyway.

valerio.bozzolan added a comment.Dec 14 2023, 21:27

I totally agree with these additional considerations. Thanks.

valerio.bozzolan added a comment.Dec 27 2023, 14:02

In addition, it seems only the owner can see their stuff here.

valerio.bozzolan closed this task as Resolved by committing rP549a26d0879c: Auth SSH Details: show Public Key (not just Type).Jan 12 2024, 21:34
valerio.bozzolan claimed this task.
valerio.bozzolan added a commit: rP549a26d0879c: Auth SSH Details: show Public Key (not just Type).
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0