Is it possible to get OpenSSH to log the public key that was used in authentication?
If you raise the LogLevel
to VERBOSE
in your configuration file (/etc/sshd/sshd_config
or similar) it will log the fingerprint of the public key used to authenticate the user.
LogLevel VERBOSE
Then you get messages like this:
Jul 19 11:23:13 centos sshd[13431]: Connection from 192.168.1.104 port 63529
Jul 19 11:23:13 centos sshd[13431]: Found matching RSA key: 54:a2:0a:cf:85:ef:89:96:3c:a8:93:c7:a1:30:c2:8b
Jul 19 11:23:13 centos sshd[13432]: Postponed publickey for user from 192.168.1.104 port 63529 ssh2
Jul 19 11:23:13 centos sshd[13431]: Found matching RSA key: 54:a2:0a:cf:85:ef:89:96:3c:a8:93:c7:a1:30:c2:8b
Jul 19 11:23:13 centos sshd[13431]: Accepted publickey for user from 192.168.1.104 port 63529 ssh2
You can use:
ssh-keygen -lf /path/to/public_key_file
to get the fingerprint of a particular public key.
If your people are using ssh-agent, you could put this in your .bashrc:
SSH_KEY_NAME=$(ssh-add -L | cut -d' ' -f 3 || 'unknown')
if [[ ! $SSH_KEY_NAME ]]; then SSH_KEY_NAME="no agent"; fi
echo `/bin/date` $SSH_KEY_NAME >> ~/.login.log