I would like to know which key was used when logging into an SSH session. I wan to correlate the key to a local database and send email to an address which corresponds to the key.
The first step is to find which key is the one being used.
SnapOverflow
You will need to turn up logging.
On the client side, "ssh -v" will which private key was used.
On the server side, default log levels will only show that a public key was used (as opposed to password auth). You will need to set the logging level in sshd_config to at least VERBOSE.
To do this you will have to raise the
LogLevelof your sshd toVERBOSE.in
/etc/ssh/sshd_configand restart sshd. This will cause sshd to log the fingerprint of the key used to log in, to the configured log file (/var/log/secure, /var/log/auth etc). You will get a message similar to thisThe
54:d2:06:cf:85:ec:89:96:3c:a8:73:c7:a1:30:c2:8bis the fingerprint of the key used to log in.You can obtain the fingerprint of a particular key by using the command
where keyfile is the public key
If you want to detect the currently used ssh key from within the current ssh session, then it seems there’s a better way since OpenSSH 7.6:
Set
ExposeAuthInfo yesin your server’s sshd_config. You should be able to limit this configuration to a specific user viaMatch User geoaxis.Then, after restarting sshd and re-login, there should be an environment variable
SSH_USER_AUTHthat contains the path to a file with authentication information. In case of public key authentication this file contains the full public key prefixed with the stringpublickey.This way you don’t need to manually add environment variables to your
~/.ssh/authorized_keys.The log idea from @user9517 is good and you can even have script monitoring the logs etc.
Additionally you can add
environment="SSH_KEY_ID=geoaxis"before the actual key (seesshd(8),AUTHORIZED_KEYS FILE FORMAT) and then you can probably utilize that env var in /etc/profile or similar.But also look at
sshd_config(5)'sAuthorizedKeysCommand