此内容没有您所选择的语言版本。
14.3.8. Revoking an SSH CA Certificate
If a certificate is stolen, it should be revoked. Although OpenSSH does not provide a mechanism to distribute the revocation list it is still easier to create the revocation list and distribute it by other means then to change the CA keys and all host and user certificates previously created and distributed.
Keys can be revoked by adding them to the
revoked_keys
file and specifying the file name in the sshd_config
file as follows: RevokedKeys /etc/ssh/revoked_keysNote that if this file is not readable, then public key authentication will be refused for all users.
To test if a key has been revoked, query the revocation list for the presence of the key. Use a command as follows:
ssh-keygen -Qf /etc/ssh/revoked_keys ~/.ssh/id_rsa.pub
A user can revoke a CA certificate by changing the
cert-authority
directive to revoke
in the known_hosts
file.