So stupidly enough in our development team every individual SSH Key is used to access the root user directly.
When Checking the auth.log I can find this
Dec 18 09:45:04 webserver sshd[12377]: Accepted publickey for root from xx.xx.xx.xx port xx ssh2
Dec 18 09:45:04 webserver sshd[12377]: pam_unix(sshd:session): session opened for user root by (uid=0)Is there any way to see which publickey was used? Maybe change something for the log levels? Or do I need to look in another place?
31 Answer
First of all, this is possible to do.
Change your ssh log level to VERBOSE and restart ssh. Usually the file is located:
nano /etc/ssh/sshd_configFind LogLevel option and change it to VERBOSE.
LogLevel VERBOSERestart SSH service
sudo service ssh restart; sudo service sshd restart;Reconnect to ssh and check the log file.
nano /var/log/auth.logThen you'll find something like this:
Dec 23 22:43:42 localhost sshd[29779]: Found matching RSA key: d8:d5:f3:5a:7e:27:42:91:e6:a5:e6:9e:f9:fd:d3:ce
Dec 23 22:43:42 localhost sshd[29779]: Accepted publickey for caleb from 127.0.0.1 port 59630 ssh2Finally, relax and you're welcome :)