- djm@cvs.openbsd.org 2013/01/17 23:00:01

     [auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5]
     [krl.c krl.h PROTOCOL.krl]
     add support for Key Revocation Lists (KRLs). These are a compact way to
     represent lists of revoked keys and certificates, taking as little as
     a single bit of incremental cost to revoke a certificate by serial number.
     KRLs are loaded via the existing RevokedKeys sshd_config option.
     feedback and ok markus@

1 files changed, 10 insertions, 3 deletions

diff --git a/sshd_config.5 b/sshd_config.5
index e7bb0b55f..c8b814da6 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.153 2013/01/08 18:49:04 markus Exp $
-.Dd $Mdocdate: January 8 2013 $
+.\" $OpenBSD: sshd_config.5,v 1.154 2013/01/17 23:00:01 djm Exp $
+.Dd $Mdocdate: January 17 2013 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -994,10 +994,17 @@ The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
 .It Cm RevokedKeys
-Specifies a list of revoked public keys.
+Specifies revoked public keys.
 Keys listed in this file will be refused for public key authentication.
 Note that if this file is not readable, then public key authentication will
 be refused for all users.
+Keys may be specified as a text file, listing one public key per line, or as
+an OpenSSH Key Revocation List (KRL) as generated by
+.Xr ssh-keygen 1
+For more information on KRLs, see the
+.Sx KEY REVOCATION LISTS
+section in
+.Xr ssh-keygen 1 .
 .It Cm RhostsRSAAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful RSA host authentication is allowed.