- djm@cvs.openbsd.org 2010/03/04 10:36:03

[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c] [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h] [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5] Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys). Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication. feedback and ok markus@
author: Damien Miller <djm@mindrot.org> 2010-03-04 21:53:35 +1100
committer: Damien Miller <djm@mindrot.org> 2010-03-04 21:53:35 +1100
commit: 1aed65eb27feec505997c98621bdf158f9ab8b99 (patch)
tree: 81c2d0b9aff3c2211388ba00cde544e0618750d2 /ssh.1
parent: 2befbad9b3c8fc6e4e564c062870229bc722734c (diff)
1 files changed, 18 insertions, 2 deletions
diff --git a/ssh.1 b/ssh.1
index 183dc277f..e8a4e5953 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.296 2010/02/26 22:09:28 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.297 2010/03/04 10:36:03 djm Exp $
-.Dd $Mdocdate: February 26 2010 $
+.Dd $Mdocdate: March 4 2010 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -1121,6 +1121,22 @@ See the
 section of
 .Xr ssh-keygen 1
 for more details.
+.Pp
+Keys may be also be marked as revoked using the
+.Dq @revoked
+marker.
+Revoked keys will always trigger a warning when encountered and the host
+that presented them will be treated as untrusted.
+For example:
+.Pp
+.Dl @revoked * ssh-rsa AAAAB5W...
+.Pp
+Revoking a key revokes it for direct use and as a certification authority.
+Do not use both the
+.Dq @cert-authority and
+.Dq @revoked
+markers on the same line.
+.Pp
 .Sh SSH-BASED VIRTUAL PRIVATE NETWORKS
 .Nm
 contains support for Virtual Private Network (VPN) tunnelling
author	Damien Miller <djm@mindrot.org>	2010-03-04 21:53:35 +1100
committer	Damien Miller <djm@mindrot.org>	2010-03-04 21:53:35 +1100
commit	1aed65eb27feec505997c98621bdf158f9ab8b99 (patch)
tree	81c2d0b9aff3c2211388ba00cde544e0618750d2 /ssh.1
parent	2befbad9b3c8fc6e4e564c062870229bc722734c (diff)

diff --git a/ssh.1 b/ssh.1 index 183dc277f..e8a4e5953 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,8 +34,8 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.296 2010/02/26 22:09:28 jmc Exp $	37	.\" $OpenBSD: ssh.1,v 1.297 2010/03/04 10:36:03 djm Exp $
38	.Dd $Mdocdate: February 26 2010 $	38	.Dd $Mdocdate: March 4 2010 $
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -1121,6 +1121,22 @@ See the
1121	section of	1121	section of
1122	.Xr ssh-keygen 1	1122	.Xr ssh-keygen 1
1123	for more details.	1123	for more details.
		1124	.Pp
		1125	Keys may be also be marked as revoked using the
		1126	.Dq @revoked
		1127	marker.
		1128	Revoked keys will always trigger a warning when encountered and the host
		1129	that presented them will be treated as untrusted.
		1130	For example:
		1131	.Pp
		1132	.Dl @revoked * ssh-rsa AAAAB5W...
		1133	.Pp
		1134	Revoking a key revokes it for direct use and as a certification authority.
		1135	Do not use both the
		1136	.Dq @cert-authority and
		1137	.Dq @revoked
		1138	markers on the same line.
		1139	.Pp
1124	.Sh SSH-BASED VIRTUAL PRIVATE NETWORKS	1140	.Sh SSH-BASED VIRTUAL PRIVATE NETWORKS
1125	.Nm	1141	.Nm
1126	contains support for Virtual Private Network (VPN) tunnelling	1142	contains support for Virtual Private Network (VPN) tunnelling