Who SSH’d into User using auth.log/RSA Key

key-authentication

Ubuntu 14.04:
Using the auth.log im able to see: accepted publickey for $user from 192.168.xx.xx port xxxxx ssh2: RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

Using that RSA Key how do i know which public key it is in /home/$user/.ssh/authorized_keys

/home/$user/.ssh/authorized_keys are not in hexadecimal format which is what im guessing the RSA key format is in auth.log???

Best Answer

As pointed out in the comments, the auth.log entries show the public key fingerprint and not the key itself.

You can compare the fingerprints in the auth.log file with the fingerprint of the keys listed in ~/.ssh/authorized_keys by using the ssh-keygen -E -lf command.

The -E option allows you to set the hash as either MD5 or SHA256. The -lf option shows the fingerprint of a public key file. The colon separated hash is the MD5 form.

You can copy the public keys from the ~/.ssh/authorized_keys file and store the them in individual text files. From there, it's easy to get the hashes of each public key.

ssh-keygen -E MD5 -lf pkey.txt

The public key is the entire line starting with ssh- and ending with the key identifier.

Related Solutions

Ssh – dropbear ssh server won’t let me connect

Short answer: You are probably running OpenWrt, and you need to put your public key in /etc/dropbear/authorized_keys instead of /root/.ssh/authorized_keys.

Long answer:

The GitHub repo you point to is the one maintained by the dropbear author; it says that ~/.ssh/authorized_keys works, and according to GitHub it has done so at least for 14 years. Looking at the code in svr-authpubkey.c it adds /.ssh/authorized_keys to the "pw_dir".

I, however, had the same problem as you have, and I discovered that the binary provided in OpenWrt 18.06.1 is actually opening /etc/dropbear/authorized_keys. Using that file works for me.

This behavior is documented in the OpenWrt docs.

So how come?

Given that the code above cannot produce that filename on its own (the .ssh is missing) and there is no .ssh symlink anywhere, I ran strings on the binary. That showed that /etc/dropbear/authorized_keys is mentioned explicitly, just before the %s/.ssh/authorized_keys that can be expected from the GitHub code. I conclude that the OpenWrt binary is not compiled from the same sources... and indeed, OpenWrt patches the upstream code with this patch. It changes the file used to /etc/dropbear/authorized_keys if (and only if) the target user is root.

Since you mention opkg, I imagine you are also using OpenWrt, and that this is your problem. I've added an OpenWrt tag to your question.

Linux – ssh via public key if there is no home directory on the remote system

Assuming your username is testssh:

create /etc/ssh/authorized_keys_testssh and put your key there
add the following in /etc/ssh/sshd_config:

Match User testssh
    AuthorizedKeysFile  /etc/ssh/authorized_keys_%u

and restart sshd. Your user will be able to ssh with his private key.

Best Answer

Related Solutions

Ssh – dropbear ssh server won’t let me connect

Linux – ssh via public key if there is no home directory on the remote system

Related Question