Managing the SSH revoked keys list for authenticating CLI sessions

To avoid replacing the CA-signed user certificate that requires the distribution of public keys to all client, you can revoke specific OpenSSH keys.

About this task

With an SSH revoked keys list, you can control which OpenSSH public keys are revoked. These keys must be in the OpenSSH public key format and be signed by the CA user public key file. These keys must be in the cert: or sharedcert: directory. For example, when mySSHkey.pub is the value for the revoked key, the system looks for this file in first the cert: and then in the sharedcert: directory. A nonexistent value is ignored, but a warning is logged.

Attention: SSH revoked keys affect all SSH-based services. Therefore, any service that uses SSH or SFTP is affected.

Procedure

  1. In the search field, enter rbm.
  2. From the search results, click RBM settings.
  3. Click the SSH authentication - CLI sessions tab.
  4. Use the Revoked keys property to add or delete OpenSSH keys for the list.
  5. Click Apply to save changes to the running configuration.
  6. Click Save to save changes to the persisted configuration.