Check compromised key blacklist in ssh or ssh-add, as well as in the

server (LP: #232391). To override the blacklist check in ssh temporarily, use 'ssh -o UseBlacklistedKeys=yes'; there is no override for the blacklist check in ssh-add.
author: Colin Watson <cjwatson@debian.org> 2008-06-02 13:04:55 +0000
committer: Colin Watson <cjwatson@debian.org> 2008-06-02 13:04:55 +0000
commit: da162da0416abb367ea8a415eb90d072a01fa020 (patch)
tree: a6a649302f33b74be5052b54c66f074f2b788b11 /ssh_config.5
parent: 15d091acca07091e7f196168bdf08788f1ae8367 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index b048a54f5..411e9fd34 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1056,6 +1056,23 @@ is not specified, it defaults to
 .Dq any .
 The default is
 .Dq any:any .
+.It Cm UseBlacklistedKeys
+Specifies whether
+.Xr ssh 1
+should use keys recorded in its blacklist of known-compromised keys (see
+.Xr ssh-vulnkey 1 )
+for authentication.
+If
+.Dq yes ,
+then attempts to use compromised keys for authentication will be logged but
+accepted.
+It is strongly recommended that this be used only to install new authorized
+keys on the remote system, and even then only with the utmost care.
+If
+.Dq no ,
+then attempts to use compromised keys for authentication will be prevented.
+The default is
+.Dq no .
 .It Cm UsePrivilegedPort
 Specifies whether to use a privileged port for outgoing connections.
 The argument must be
author	Colin Watson <cjwatson@debian.org>	2008-06-02 13:04:55 +0000
committer	Colin Watson <cjwatson@debian.org>	2008-06-02 13:04:55 +0000
commit	da162da0416abb367ea8a415eb90d072a01fa020 (patch)
tree	a6a649302f33b74be5052b54c66f074f2b788b11 /ssh_config.5
parent	15d091acca07091e7f196168bdf08788f1ae8367 (diff)

diff --git a/ssh_config.5 b/ssh_config.5 index b048a54f5..411e9fd34 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -1056,6 +1056,23 @@ is not specified, it defaults to
1056	.Dq any .	1056	.Dq any .
1057	The default is	1057	The default is
1058	.Dq any:any .	1058	.Dq any:any .
		1059	.It Cm UseBlacklistedKeys
		1060	Specifies whether
		1061	.Xr ssh 1
		1062	should use keys recorded in its blacklist of known-compromised keys (see
		1063	.Xr ssh-vulnkey 1 )
		1064	for authentication.
		1065	If
		1066	.Dq yes ,
		1067	then attempts to use compromised keys for authentication will be logged but
		1068	accepted.
		1069	It is strongly recommended that this be used only to install new authorized
		1070	keys on the remote system, and even then only with the utmost care.
		1071	If
		1072	.Dq no ,
		1073	then attempts to use compromised keys for authentication will be prevented.
		1074	The default is
		1075	.Dq no .
1059	.It Cm UsePrivilegedPort	1076	.It Cm UsePrivilegedPort
1060	Specifies whether to use a privileged port for outgoing connections.	1077	Specifies whether to use a privileged port for outgoing connections.
1061	The argument must be	1078	The argument must be