OpenSSH Certkey (PKI)

Andre Oppermann andre at freebsd.org
Sat Nov 18 00:02:38 EST 2006


Bob Beck wrote:
> 
> 	I would think it would be nice if "CAL" had a way of
> saying "these are the ones to be revoked" so no shutdown, just
> propagate the bad one - but I'm talking to daniel offline about it..

That's easy.  echo "ab:cd:ef..." > /etc/ssh/blacklist

Or use a prediodic rsync to do that.  Every pubkey fingerprint listed in it is
denied access.

-- 
Andre


More information about the openssh-unix-dev mailing list