0

I'm doing some clean up on one of my servers and I have a bunch of keys in my .ssh/authorized_keys

The problem is I want to delete them but I'm not too sure if they are still even used. Is there a way to find out which keys have been used recently? I want to delete them if no one has logged in with them for over 3 months.

  • Is this for a single user only? Did you enable verbose logging on your server previously? Typically, you would look at `/var/log/auth.log` but that won't give you the key used. Related: http://askubuntu.com/questions/562833/check-which-ssh-key-was-used-to-login and http://unix.stackexchange.com/questions/15575/can-i-find-out-which-ssh-key-was-used-to-access-an-account – Jedi Jan 04 '17 at 17:42

2 Answers2

1

From what I know, you cannot retroactively access this information if you had not been logging it so far.

You should check the LogLevel here:

vi /etc/ssh/sshd_config

....
LogLevel VERBOSE
....

If it is not VERBOSE, but QUIET/FATAL/ERROR, you will not get old log records.

Else, you should see the key fingerprints for each new connection in /var/log/auth.log*.

Jedi
  • 408
  • 1
  • 5
  • 19
0

If you have to ask this question it is unlikely you have taken the necessary steps to have gathered the information. Normally you have to increase the log verbosity for the ssh daemon to ensure that it logs which keys are being used. To get 3 months of info you'd have like;y had to configure your system to keep logs for that long too.

I have a vague recollection of seeing an answer/comment here on SF suggesting that more recent versions of Ubuntu log the information more readily but I can't find that now.

And a reference on what to do Is it possible to get OpenSSH to log the public key that was used in authentication?

user9517
  • 114,104
  • 20
  • 206
  • 289