Is it possible to get OpenSSH to log the public key that was used in authentication?

linux ssh logging public-key

16,785

Solution 1

If you raise the LogLevel to VERBOSE in your configuration file (/etc/sshd/sshd_config or similar) it will log the fingerprint of the public key used to authenticate the user.

LogLevel VERBOSE

Then you get messages like this:

Jul 19 11:23:13 centos sshd[13431]: Connection from 192.168.1.104 port 63529
Jul 19 11:23:13 centos sshd[13431]: Found matching RSA key: 54:a2:0a:cf:85:ef:89:96:3c:a8:93:c7:a1:30:c2:8b
Jul 19 11:23:13 centos sshd[13432]: Postponed publickey for user from 192.168.1.104 port 63529 ssh2
Jul 19 11:23:13 centos sshd[13431]: Found matching RSA key: 54:a2:0a:cf:85:ef:89:96:3c:a8:93:c7:a1:30:c2:8b
Jul 19 11:23:13 centos sshd[13431]: Accepted publickey for user from 192.168.1.104 port 63529 ssh2

You can use:

 ssh-keygen -lf /path/to/public_key_file

to get the fingerprint of a particular public key.

Solution 2

If your people are using ssh-agent, you could put this in your .bashrc:

SSH_KEY_NAME=$(ssh-add -L | cut -d' ' -f 3 || 'unknown')
if [[ ! $SSH_KEY_NAME ]]; then SSH_KEY_NAME="no agent"; fi
echo `/bin/date` $SSH_KEY_NAME >> ~/.login.log

16,785

Guss

Updated on September 18, 2022

Comments

Guss over 1 year

I have a production system where several different people are allowed to log in to a single account - the account is for the application and not for the person as we don't have personal accounts on production servers.

For auditing purposes I want to be able to tell who logged in at what time, and as we use SSH keys to log in it seems logical to track that (as there is no other identifier to track).

When SSH authenticates a user, it logs the user name to the system's security log, but it does not log which of the authorized public keys was used in the log in. Is it possible to get OpenSSH to also report which public key was used, or maybe just the comment associated with that key?

The operating system being used is CentOS 5.6, but I'd like to also hear if its possible on other operating systems.
- yaronf almost 11 years
  
  A nice blog post answers your question: screenage.de/blog/2012/02/10/…
Guss almost 13 years

Thanks! I need to confirm the key fingerprints against the authorized_keys file, so I made this little script to printout the fingerprints of authorized keys: (p="$(mktemp)";cat ~/.ssh/authorized_keys|while IFS="$(printf "\n")" read key; do echo $key > $p; ssh-keygen -lf $p; done; rm -f $p)
Guss almost 13 years

I noticed that SSH now logs the key twice for each login - any idea why and/or how to get it to log it once?
user9517 almost 13 years

Why, that's a level of detail I'm not familiar with. Can you stop it, probably not without poking around with the source code.
Guss almost 11 years

Its a good idea, unfortunately one of the reasons I want to log this is that I'm using authorized_keys commands for the users that I want to log, and they don't normally get a bash shell.
mpontillo over 9 years

This thread looks relevant. It finds the matching key twice: once to determine if the key would be acceptable or not, then a second time to check the signature the client provides.
Valerio Bozzolan over 2 years

I think you submitted this answer at the same time of serverfault.com/a/291768/225489 but that one is more precise. What to do?