👋 We've unified all of GitHub's product documentation in one place! Check out the content for REST API, GraphQL API, and Developers. Learn more on the GitHub blog.
Article version: Enterprise Server 2.21

Auditing SSH keys

Site administrators can initiate an instance-wide audit of SSH keys.

In this article

Once initiated, the audit disables all existing SSH keys and forces users to approve or reject them before they're able to clone, pull, or push to any repositories. An audit is useful in situations where an employee or contractor leaves the company and you need to ensure that all keys are verified.

Initiating an audit

You can initiate an SSH key audit from the "All users" tab of the site admin dashboard:

Starting a public key audit

After you click the "Start public key audit" button, you'll be taken to a confirmation screen explaining what will happen next:

Confirming the audit

After you click the "Begin audit" button, all SSH keys are invalidated and will require approval. You'll see a notification indicating the audit has begun.

What users see

If a user attempts to perform any git operation over SSH, it will fail and provide them with the following message:

ERROR: Hi username. We're doing an SSH key audit.
Please visit http(s)://hostname/settings/ssh/audit/2
to approve this key so we know it's safe.
Fingerprint: ed:21:60:64:c0:dc:2b:16:0f:54:5f:2b:35:2a:94:91
fatal: The remote end hung up unexpectedly

When they follow the link, they're asked to approve the keys on their account:

Auditing keys

After they approve or reject their keys, they'll be able interact with repositories as usual.

Adding an SSH key

New users will be prompted for their password when adding an SSH key:

Password confirmation

When a user adds a key, they'll receive a notification email that will look something like this:

The following SSH key was added to your account:

[title]
ed:21:60:64:c0:dc:2b:16:0f:54:5f:2b:35:2a:94:91

If you believe this key was added in error, you can remove the key and disable access at the following location:

http(s)://HOSTNAME/settings/ssh

Ask a human

Can't find what you're looking for?

Contact us