Is it possible to get OpenSSH to log the public key that was used in authentication?

If you raise the LogLevel to VERBOSE in your configuration file (/etc/sshd/sshd_config or similar) it will log the fingerprint of the public key used to authenticate the user.

LogLevel VERBOSE

Then you get messages like this:

Jul 19 11:23:13 centos sshd[13431]: Connection from 192.168.1.104 port 63529
Jul 19 11:23:13 centos sshd[13431]: Found matching RSA key: 54:a2:0a:cf:85:ef:89:96:3c:a8:93:c7:a1:30:c2:8b
Jul 19 11:23:13 centos sshd[13432]: Postponed publickey for user from 192.168.1.104 port 63529 ssh2
Jul 19 11:23:13 centos sshd[13431]: Found matching RSA key: 54:a2:0a:cf:85:ef:89:96:3c:a8:93:c7:a1:30:c2:8b
Jul 19 11:23:13 centos sshd[13431]: Accepted publickey for user from 192.168.1.104 port 63529 ssh2

You can use:

 ssh-keygen -lf /path/to/public_key_file

to get the fingerprint of a particular public key.

If your people are using ssh-agent, you could put this in your .bashrc:

SSH_KEY_NAME=$(ssh-add -L | cut -d' ' -f 3 || 'unknown')
if [[ ! $SSH_KEY_NAME ]]; then SSH_KEY_NAME="no agent"; fi
echo `/bin/date` $SSH_KEY_NAME >> ~/.login.log

Is it possible to get OpenSSH to log the public key that was used in authentication?

Related

Recent Posts