If you use keys for SSH authentication (and you should) then you have probably run into the situation that the auth.log shows that someone logged in, even which local user was used (e.g. root), but you have no idea which of the keys in ~/.ssh/autorized_keys was used. The first step you can do to see what is going on, is increasing the log level of the SSH daemon:
/etc/ssh/sshd_config
1 | LogLevel VERBOSE |
That will spit out the fingerprint of the SSH key used to log in. Example log entry for a successful login:
1 2 3 4 5 6 | Aug 15 11:47:40 security sshd[1924]: Connection from 192.168.199.1 port 39648 Aug 15 11:47:41 security sshd[1924]: Found matching DSA key: df:45:12:ea:d2:92:a2:42:aa:ba:25:1a:90:82:1a:1c Aug 15 11:47:41 security sshd[1924]: Postponed publickey for root from 192.168.199.1 port 39648 ssh2 [preauth] Aug 15 11:47:42 security sshd[1924]: Found matching DSA key: df:45:12:ea:d2:92:a2:42:aa:ba:25:1a:90:82:1a:1c Aug 15 11:47:42 security sshd[1924]: Accepted publickey for root from 192.168.199.1 port 39648 ssh2 Aug 15 11:47:42 security sshd[1924]: pam_unix(sshd:session): session opened for user root by (uid=0) |
Now that we have the fingerprint of the ssh key used to login, we will need ssh-keygen to spit out the fingerprints of the public keys in ~/.ssh/authorized_keys to be able to compare them. So I wrote a little wrapper called ssh-fingerprint.sh around ssh-keygen to feed it all the public keys from authorized_keys (if you want you can even fit the whole while loop as a oneliner):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | #!/bin/bash initialize() { #{{{ # Treat unset variables as an error set -o nounset tempfile=$(mktemp) authorized_keys="${HOME}/.ssh/authorized_keys" trap cleanup TERM EXIT # clean up if script exits } #}}} cleanup() { #{{{ rm -f ${tempfile} exit 0 } #}}} #=============================================================================== # Main #=============================================================================== initialize if [ ! -e ${authorized_keys} ] then echo -e "\nERROR: ${authorized_keys} file not found\n" exit fi while read line do echo "${line}" > ${tempfile} ssh-keygen -l -f ${tempfile} done < ${authorized_keys} |