Check which SSH key was used to login

So stupidly enough in our development team every individual SSH Key is used to access the root user directly.

When Checking the auth.log I can find this

Dec 18 09:45:04 webserver sshd[12377]: Accepted publickey for root from xx.xx.xx.xx port xx ssh2
Dec 18 09:45:04 webserver sshd[12377]: pam_unix(sshd:session): session opened for user root by (uid=0)

Is there any way to see which publickey was used? Maybe change something for the log levels? Or do I need to look in another place?

3

1 Answer

First of all, this is possible to do.

Change your ssh log level to VERBOSE and restart ssh. Usually the file is located:

nano /etc/ssh/sshd_config

Find LogLevel option and change it to VERBOSE.

LogLevel VERBOSE

Restart SSH service

sudo service ssh restart; sudo service sshd restart;

Reconnect to ssh and check the log file.

nano /var/log/auth.log

Then you'll find something like this:

Dec 23 22:43:42 localhost sshd[29779]: Found matching RSA key: d8:d5:f3:5a:7e:27:42:91:e6:a5:e6:9e:f9:fd:d3:ce
Dec 23 22:43:42 localhost sshd[29779]: Accepted publickey for caleb from 127.0.0.1 port 59630 ssh2

Finally, relax and you're welcome :)

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like