Ssh – How to determine which SSH keyfile was used to authenticate a login

authenticationkey-authenticationlogsssh

We have a hosted CentOS 6.5 server in which we have a single user account. That account has been configured to use SSH keyfile authentication for the users who need to access it.

I would like to be able to see which keyfile was used to authenticate each login; effectively telling me which end-user logged into the single unix user account. Is there a mechanism for doing so?

Best Answer

On CentOS there is /var/log/secure. This holds the fingerprints of the logins:

 Aug  7 23:12:57 my-server sshd[2584]: Accepted publickey for user from 192.168.1.156 port 58279 ssh2: RSA 32:f1:aa:aa:aa:aa:aa:aa:bb:be:ef:c3:aa:bb:cc:f8

Map these back to the keys and you have the info you need. You can get the key fingerprints by doing:

ssh-keygen -l -f ~/.ssh/*.pub

Related Solutions

Ssh – How to lock the own account from remote ssh login with password

You can use the Match option in sshd_config

Match Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.[1]

So, at the end of that file you could specify:

Match User yourusername
PasswordAuthentication no

See man 5 sshd_config for all of the available options.

[1] http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5

Ssh – find out which ssh key was used to access an account

If you go into the sshd config file (usually /etc/ssh/sshd_config) and change the LogLevel directive to VERBOSE:

LogLevel VERBOSE

...you can see something like this in the logs:

Jun 24 22:43:42 localhost sshd[29779]: Found matching RSA key: d8:d5:f3:5a:7e:27:42:91:e6:a5:e6:9e:f9:fd:d3:ce
Jun 24 22:43:42 localhost sshd[29779]: Accepted publickey for caleb from 127.0.0.1 port 59630 ssh2

From man sshd_config:

   LogLevel
          Gives  the  verbosity  level that is used when logging messages from
          sshd(8).  The possible values are: QUIET, FATAL, ERROR,  INFO,  VER-
          BOSE,  DEBUG,  DEBUG1,  DEBUG2,  and  DEBUG3.   The default is INFO.
          DEBUG and DEBUG1 are equivalent.  DEBUG2  and  DEBUG3  each  specify
          higher  levels of debugging output.  Logging with a DEBUG level vio-
          lates the privacy of users and is not recommended.

Best Answer

Related Solutions

Ssh – How to lock the own account from remote ssh login with password

Ssh – find out which ssh key was used to access an account

Related Question