Ping a Specific Port

Question

Guss

Asked: 2011-07-20 01:53:31 +0800 CST2011-07-20 01:53:31 +0800 CST 2011-07-20 01:53:31 +0800 CST

Is it possible to get OpenSSH to log the public key that was used in authentication?

772

I have a production system where several different people are allowed to log in to a single account - the account is for the application and not for the person as we don't have personal accounts on production servers.

For auditing purposes I want to be able to tell who logged in at what time, and as we use SSH keys to log in it seems logical to track that (as there is no other identifier to track).

When SSH authenticates a user, it logs the user name to the system's security log, but it does not log which of the authorized public keys was used in the log in. Is it possible to get OpenSSH to also report which public key was used, or maybe just the comment associated with that key?

The operating system being used is CentOS 5.6, but I'd like to also hear if its possible on other operating systems.

3 Answers

Voted

user9517 · Answer 1 · 2011-07-20T02:03:55+08:00

Best Answer

user9517

2011-07-20T02:03:55+08:002011-07-20T02:03:55+08:00

If you raise the LogLevel to VERBOSE in your configuration file (/etc/sshd/sshd_config or similar) it will log the fingerprint of the public key used to authenticate the user.

LogLevel VERBOSE

Then you get messages like this:

Jul 19 11:23:13 centos sshd[13431]: Connection from 192.168.1.104 port 63529
Jul 19 11:23:13 centos sshd[13431]: Found matching RSA key: 54:a2:0a:cf:85:ef:89:96:3c:a8:93:c7:a1:30:c2:8b
Jul 19 11:23:13 centos sshd[13432]: Postponed publickey for user from 192.168.1.104 port 63529 ssh2
Jul 19 11:23:13 centos sshd[13431]: Found matching RSA key: 54:a2:0a:cf:85:ef:89:96:3c:a8:93:c7:a1:30:c2:8b
Jul 19 11:23:13 centos sshd[13431]: Accepted publickey for user from 192.168.1.104 port 63529 ssh2

You can use:

 ssh-keygen -lf /path/to/public_key_file

to get the fingerprint of a particular public key.

38

Willem · Answer 2 · 2013-01-23T04:58:10+08:00

Willem

2013-01-23T04:58:10+08:002013-01-23T04:58:10+08:00

If your people are using ssh-agent, you could put this in your .bashrc:

SSH_KEY_NAME=$(ssh-add -L | cut -d' ' -f 3 || 'unknown')
if [[ ! $SSH_KEY_NAME ]]; then SSH_KEY_NAME="no agent"; fi
echo `/bin/date` $SSH_KEY_NAME >> ~/.login.log

3

Sven · Answer 3 · 2011-07-20T02:03:07+08:00

Sven

2011-07-20T02:03:07+08:002011-07-20T02:03:07+08:00

Try playing around with the LogLevel parameter in sshd_config. For details, refer to man sshd_config

0

Is it possible to get OpenSSH to log the public key that was used in authentication?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?