6

How can I configure OpenSSH (5.9) to reject a given set of public keys?

I know I can remove the keys from each respective .ssh/authorized_keys file, but I would like to do it on a server-wide basis. Imagine a scenario where a private key got compromised and I would like to prevent any user from putting the respective public key into their authorized_keys (yes, they should still be allowed to edit theirs) and it working. To achieve that I will need something that works at the system level.

0xC0000022L
  • 1,516
  • 2
  • 22
  • 42

1 Answers1

5

Have a look into the RevokedKeys configuration option for the sshd. See man sshd_config.

Sven
  • 98,649
  • 14
  • 180
  • 226
  • Is this a recent addition or has that feature even disappeared again? There is no such option in the `man` page, I'm afraid. What OpenSSH version are you using? – 0xC0000022L Feb 25 '13 at 13:30
  • It's not in 5.3 as used on CentOS 6, but on a Ubuntu 11.10 with ssh 5.8 it's available, as well as on ssh 5.5 on Debian Squeeze and it's listed on the OpenSSH webpage's version of the manual pages, so it hasn't been removed. – Sven Feb 25 '13 at 13:34
  • snap. Found it on Ubuntu 12.04. Not on Scientific Linux 6.3 or Ubuntu 10.04, however. Luckily I am migrating to 12.04. Thanks for the help. +1 and accepting, of course :) – 0xC0000022L Feb 25 '13 at 13:39
  • This option was added in OpenSSH 5.4. http://www.openssh.com/txt/release-5.4 ; 5th added feature. – Jander Mar 25 '15 at 20:43