How can I get the comment of the current authorized_keys ssh key?
Solution 1:
I personally would not recommend this solution, but am posting this for the sake of discussion.
If you're willing to:
- Change the Logging level of SSHd
- Give your script access to /var/log/secure (or equivalent log file)
You can set "LogLevel DEBUG" in sshd_config to get the following entries each time an ssh key is used successfully for authentication:
Aug 13 11:51:13 myhost sshd[20195]: debug1: matching key found: file /home/myuser/.ssh/authorized_keys, line 3
Aug 13 11:51:13 myhost sshd[20195]: Found matching DSA key: 00:aa:bb:cc:dd:ee:00:c0:0b:fa:ce:00:00:ab:cd:ef
Writing a script to parse the logs and retrieve the relevant information would be trivial. You could probably grep for "sshd[$PPID]" to reduce the lines the script has to munge.
Do note that changing the loglevel to DEBUG will increase the size of your logs considerable and may violate the privacy of users. From "man sshd_config":
Logging with a DEBUG level violates the privacy of users and is not recommended.
I'm sure there are various steps one can take to make this solution a little less ghastly (e.g. logging sshd DEBUG info to a different file and controlling access to that file and the script) but at the end if the day it will still make you cringe.
Solution 2:
This will help if you want to track the login from a script on the SSHd
machine.
Step 1: Shell variable 'SSH_CLIENT
' gives you two parts of the information
- The remote IP address (
192.168.1.2
in the line below) - The remote TCP port over which the client connected (
56120
below)
SSH_CLIENT='192.168.1.2 56120 22' ----------- ----- Source IP Port
Step 2: You can now do a login (backwards) to the source IP (192.168.1.2) and check the UserID
.
SSHd-Server$ ssh [email protected] exec "netstat -et | grep 56120" tcp 0 0 hostname:56120 localhost:ssh ESTABLISHED user1 9937126 ----- -----
You have identified [email protected]
.
Solution 3:
It's for convenience, from the ssh-keygen
man page on Debian:
For RSA1 keys, there is also a comment field in the key file that is only for convenience to the user to help identify the key. The comment can tell what the key is for, or whatever is useful. The comment is initialized to “user@host” when the key is created, but can be changed using the -c option.
I think the nearest you're going to get for determining which key was used to log in is with ssh-add
, with -L, from the man page:
-L Lists public key parameters of all identities currently represented by the agent.
You can increase the logging level of the ssh daemon to DEBUG1:
LogLevel DEBUG1
And the log will show the RSA fingerprint of the SSH key used to log in:
Aug 13 08:52:56 ubuntu_test sshd[17115]: debug1: matching key found: file /home/username/.ssh/authorized_keys, line 1
Aug 13 08:52:56 ubuntu_test sshd[17115]: Found matching RSA key: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
You can get the fingerprint of a key with ssh-keygen
:
-l Show fingerprint of specified public key file. Private RSA1 keys are also supported. For RSA and DSA keys ssh-keygen tries to find the matching public key file and prints its fingerprint. If combined with -v, an ASCII art representation of the key is supplied with the fingerprint.
From an authorized keys file, you would have to split up each line into a new file to read with ssh-keygen -l
. Here's an example Ruby script that will do this:
#!/usr/bin/env ruby
File.open("/home/username/.ssh/authorized_keys").each do |l|
file_name = l.split(" ")[2]
key_file = File.new("#{file_name}.pub_key", "w")
key_file.puts l
key_file.close
puts %x{ssh-keygen -l -f #{file_name}.pub_key}
end
Solution 4:
If you have the public key (of the suspected user) you can search the signature in auth.log
. Match that with the output from (note that -l
is here small -L
):
ssh-keygen -l <enter>
This command will request the path to the public key and will output the signature for that key.