From da162da0416abb367ea8a415eb90d072a01fa020 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 2 Jun 2008 13:04:55 +0000
Subject: Check compromised key blacklist in ssh or ssh-add, as well as in the
 server (LP: #232391). To override the blacklist check in ssh temporarily, use
 'ssh -o UseBlacklistedKeys=yes'; there is no override for the blacklist check
 in ssh-add.

---
 ssh_config.5 | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'ssh_config.5')

diff --git a/ssh_config.5 b/ssh_config.5
index b048a54f5..411e9fd34 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1056,6 +1056,23 @@ is not specified, it defaults to
 .Dq any .
 The default is
 .Dq any:any .
+.It Cm UseBlacklistedKeys
+Specifies whether
+.Xr ssh 1
+should use keys recorded in its blacklist of known-compromised keys (see
+.Xr ssh-vulnkey 1 )
+for authentication.
+If
+.Dq yes ,
+then attempts to use compromised keys for authentication will be logged but
+accepted.
+It is strongly recommended that this be used only to install new authorized
+keys on the remote system, and even then only with the utmost care.
+If
+.Dq no ,
+then attempts to use compromised keys for authentication will be prevented.
+The default is
+.Dq no .
 .It Cm UsePrivilegedPort
 Specifies whether to use a privileged port for outgoing connections.
 The argument must be
-- 
cgit v1.2.3