Ubuntu 14.04:
Using the auth.log im able to see: accepted publickey for $user from 192.168.xx.xx port xxxxx ssh2: RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
Using that RSA Key how do i know which public key it is in /home/$user/.ssh/authorized_keys
/home/$user/.ssh/authorized_keys are not in hexadecimal format which is what im guessing the RSA key format is in auth.log???
Best Answer
As pointed out in the comments, the
auth.log
entries show the public key fingerprint and not the key itself.You can compare the fingerprints in the
auth.log
file with the fingerprint of the keys listed in~/.ssh/authorized_keys
by using thessh-keygen -E -lf
command.The
-E
option allows you to set the hash as either MD5 or SHA256. The-lf
option shows the fingerprint of a public key file. The colon separated hash is the MD5 form.You can copy the public keys from the
~/.ssh/authorized_keys
file and store the them in individual text files. From there, it's easy to get the hashes of each public key.The public key is the entire line starting with
ssh-
and ending with the key identifier.