upstream: mention that RevokedKeys is read by the server at each

authentication time and should only ever be replaced atomically.

OpenBSD-Commit-ID: eeedf5a10331ac4e39fbd2fc41e4a11c38b2ef9b

sshd_config.5

@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.396 2026/03/23 01:33:46 djm Exp $
-.Dd $Mdocdate: March 23 2026 $
+.\" $OpenBSD: sshd_config.5,v 1.397 2026/03/28 05:07:12 djm Exp $
+.Dd $Mdocdate: March 28 2026 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1855,6 +1855,11 @@ be refused for all users.
 Keys may be specified as a text file, listing one public key per line, or as
 an OpenSSH Key Revocation List (KRL) as generated by
 .Xr ssh-keygen 1 .
+This file may be consulted for each public key authentication attempt
+received by
+.Xr sshd 8
+and its contents must be consistent at all times, therefore it should only
+be atomically replaced and never modified in place while the server is running.
 For more information on KRLs, see the KEY REVOCATION LISTS section in
 .Xr ssh-keygen 1 .
 .It Cm RDomain