Security when SSH private keys are lost

What version of sshd are you using? OpenSSH 5.4 apparently has a key revocation option:

* Add the ability to revoke keys in sshd(8) and ssh(1). User keys may
be revoked using a new sshd_config(5) option "RevokedKeys". Host keys 
are revoked through known_hosts (details in the sshd(8) man page).   
Revoked keys cannot be used for user or host authentication and will  
trigger a warning if used.

If you're using an earlier version, you probably have to run through all possible authorized_keys files on all your servers to look for and remove the suspect public key. This would include any account User-A could ssh into, including root. This assumes you are not using centralized authoried_key management.


One possible short-term fix to this situation is to use some config management tool (ansible may be a good bet here).

You could notably use the authorized_key module (https://docs.ansible.com/ansible/authorized_key_module.html) to remove one (or more) specific public key fingerprint from a given user's authorized_key file.

An example is lacking for your needs, but something like this could work:

- name: Set authorized key took from url
  authorized_key:
    user: charlie
    state: absent
    key: https://github.com/charlie.keys

You can also (in ansible at least) run a command to create a list of all users on a system, by querying /etc/passwd.

You could also just create a fresh whitelist of keys and remove everything else, but that may not be practical in your situation.

The ansible docs give a rough example of how that could work:

- name: Set authorized key, removing all the authorized key already set
  authorized_key:
    user: root
    key: '{{ item }}'
    state: present
    exclusive: True
  with_file:
    - public_keys/doe-jane

In the long run, you may want to consider having jumphosts - I've found teleport to be rather good.