Revoking SSH keys by using the command line

You can revoke specific OpenSSH keys when you need to update access to the appliance.

About this task

The ssh-revoked-keys command manages the list of revoked keys for SSH authentication with SSH user certificates. These keys must be in the OpenSSH public key format, and they must be in the cert: or sharedcert: directory. For example, when mySSHkey.pub is the value for a revoked key, the system looks for this file first in the cert: and then in the sharedcert: directory. If a revoked key file does not exist then the command is ignored, but a warning is logged.

Revoking individual user certificates avoids needing to replace the CA key and issue a new certificate to each appliance user. The CA public key file used to verify user certificates is defined by the ssh-ca-pubkey-file command.

You must issue the command for each key to add or delete.

This command is relevant when the ssh-au-method includes certificate.

Procedure

  1. Connect to the IBM® MQ Appliance as described in Command line access. Log in as an administrative user.
  2. Type config to enter global configuration mode.
  3. Type the following command to configure role based management: 
    rbm
  4. Enter the following command to revoke an SSH key: 
    ssh-revoked-keysfile file
    Where file specifies the CA-signed public key file.
  5. Save your configuration and exit: 
    exit
write memory