Which ssh publickey was used to access an account

When you have more than one public key set up to be able to access a single account (ie more than one public key listed in the authorized_keys you may want to check which public key was used to make a login). Since openssh 6.3 (released 2013) the public key fingerprint is logged – for example the below shows a set of made up “Accepted publickey” entries from an ssh auth.log:

# grep 'Accepted publickey' /var/log/auth.log
Jul 5 21:11:18 example.net sshd[84118]: Accepted publickey for foouser from 10.0.0.1 port 61416 ssh2: RSA SHA256:aGlzIGhlbHAgbWVzc2FnZSBhbmQgZXhpdAogIC1sIEx
Jul 7 21:11:31 example.net sshd[82341]: Accepted publickey for foouser from 10.0.0.2 port 61420 ssh2: RSA SHA256:9wdGlvbmFsIGFyZ3VtZW50czoKICAtaCwgLS1oZWxwI
Jul 12 11:24:46 example.net sshd[11902]: Accepted publickey for foouser from 10.0.0.3 port 55753 ssh2: RSA SHA256:aGlzIGhlbHAgbWVzc2FnZSBhbmQgZXhpdAogIC1sIEx

And the following shows how to extract the matching fingerprints from the target user account authorized_keys file:

# ssh-keygen -lf ~foouser/.ssh/authorized_keys 
2048 SHA256:aGlzIGhlbHAgbWVzc2FnZSBhbmQgZXhpdAogIC1sIEx some user called fred (RSA)
2048 SHA256:dXNhZ2U6IHB3Z2VuIFstaF0gWy1sIExFTkdUSF0gWy1 some user called elsa (RSA)
2048 SHA256:9wdGlvbmFsIGFyZ3VtZW50czoKICAtaCwgLS1oZWxwI elgar (RSA)

In this example this means we can see that the key labelled “some user called fred” was used to log in twice and the key labelled “some user called elsa” was used to log in once. The key labelled “elgar” was not used in this log.

Leave a Reply

Your email address will not be published. Required fields are marked *