Is it possible to get OpenSSH to log the public key that was used in authentication?
Solution 1
If you raise the LogLevel
to VERBOSE
in your configuration file (/etc/sshd/sshd_config
or similar) it will log the fingerprint of the public key used to authenticate the user.
LogLevel VERBOSE
Then you get messages like this:
Jul 19 11:23:13 centos sshd[13431]: Connection from 192.168.1.104 port 63529
Jul 19 11:23:13 centos sshd[13431]: Found matching RSA key: 54:a2:0a:cf:85:ef:89:96:3c:a8:93:c7:a1:30:c2:8b
Jul 19 11:23:13 centos sshd[13432]: Postponed publickey for user from 192.168.1.104 port 63529 ssh2
Jul 19 11:23:13 centos sshd[13431]: Found matching RSA key: 54:a2:0a:cf:85:ef:89:96:3c:a8:93:c7:a1:30:c2:8b
Jul 19 11:23:13 centos sshd[13431]: Accepted publickey for user from 192.168.1.104 port 63529 ssh2
You can use:
ssh-keygen -lf /path/to/public_key_file
to get the fingerprint of a particular public key.
Solution 2
If your people are using ssh-agent, you could put this in your .bashrc:
SSH_KEY_NAME=$(ssh-add -L | cut -d' ' -f 3 || 'unknown')
if [[ ! $SSH_KEY_NAME ]]; then SSH_KEY_NAME="no agent"; fi
echo `/bin/date` $SSH_KEY_NAME >> ~/.login.log
Related videos on Youtube
Guss
Updated on September 18, 2022Comments
-
Guss over 1 year
I have a production system where several different people are allowed to log in to a single account - the account is for the application and not for the person as we don't have personal accounts on production servers.
For auditing purposes I want to be able to tell who logged in at what time, and as we use SSH keys to log in it seems logical to track that (as there is no other identifier to track).
When SSH authenticates a user, it logs the user name to the system's security log, but it does not log which of the authorized public keys was used in the log in. Is it possible to get OpenSSH to also report which public key was used, or maybe just the comment associated with that key?
The operating system being used is CentOS 5.6, but I'd like to also hear if its possible on other operating systems.
-
yaronf almost 11 yearsA nice blog post answers your question: screenage.de/blog/2012/02/10/…
-
-
Guss almost 13 yearsThanks! I need to confirm the key fingerprints against the
authorized_keys
file, so I made this little script to printout the fingerprints of authorized keys:(p="$(mktemp)";cat ~/.ssh/authorized_keys|while IFS="$(printf "\n")" read key; do echo $key > $p; ssh-keygen -lf $p; done; rm -f $p)
-
Guss almost 13 yearsI noticed that SSH now logs the key twice for each login - any idea why and/or how to get it to log it once?
-
user9517 almost 13 yearsWhy, that's a level of detail I'm not familiar with. Can you stop it, probably not without poking around with the source code.
-
Guss almost 11 yearsIts a good idea, unfortunately one of the reasons I want to log this is that I'm using authorized_keys commands for the users that I want to log, and they don't normally get a bash shell.
-
mpontillo over 9 yearsThis thread looks relevant. It finds the matching key twice: once to determine if the key would be acceptable or not, then a second time to check the signature the client provides.
-
Valerio Bozzolan over 2 yearsI think you submitted this answer at the same time of serverfault.com/a/291768/225489 but that one is more precise. What to do?