2

Is it possible to resolve, which public key is used to grant user access to a server?

For example, there are 5 public keys stored in ~/.ssh/authorized_keys file. I'd like to know which key has the most frequency of usage and count every auth event based on keys instead of auth by password.

Stefan Lasiewski
  • 22,949
  • 38
  • 129
  • 184
hsz
  • 259
  • 2
  • 7

1 Answers1

5

You can adjust the SSH debug level to be more verbose, and the key fingerprints will be included in the logs. Unfortunately this will also include some other noisy messages that you probably won't care about.

You need a LogLevel of Verbose or higher to see the fingerprint.

# tail -50 /var/log/auth.log
Mar 14 10:01:22 myhost sshd[22092]: Found matching RSA key: 79:53:3a:31:56:e4:61:...
Mar 14 10:01:24 myhost sshd[22092]: Found matching RSA key: 79:53:3a:31:56:e4:61:...
Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • See this [answer](http://unix.stackexchange.com/questions/2116/given-keys-in-ssh-authorized-keys-format-can-you-determine-key-strength-easil) for how to convert your authorized_keys into a list of fingerprints. – Zoredache Mar 14 '11 at 17:05
  • +1 We do exactly this to satisfy certain security audit requirements – freiheit Mar 14 '11 at 17:12