Home / server / Questions / 347733
Accepted
Marco Ceppi
Asked: 2012-01-08 14:31:29 +0800 CST

Determine when someone last logged in to a server from a key

  • 772

I'm trying to track the last time a user logged into a Linux server with a certain key. So user secure has 5 keys in ~/.ssh/authorized_keys, how can I track when each key was used and what IP was used to access the server?

Ideally I would be able to see that Key 1 was last used 5 days ago from 127.0.0.1, Key 2 was used 10 mins ago from 10.0.0.5, Key 3 and 4 were never used, Key 5 was used 2 weeks ago from 8.8.8.8.

logging ssh ssh-keys

1 Answers

  1. Best Answer

    You need to increase the LogLevel in /etc/ssh/sshd_config to VERBOSE and restart sshd. This will cause sshd to log the fingerprint of the key being used to whichever log file your sshd is configured to use e.g.

    Jan  7 22:46:17 host.lan sshd[5998]: Connection from 192.168.254.187 port 57062
Jan  7 22:46:17 host.lan sshd[5998]: Found matching RSA key: 54:d2:06:cf:85:ec:89:96:3c:a8:73:c7:a1:30:c2:8b
Jan  7 22:46:17 host.lan sshd[5998]: Found matching RSA key: 54:d2:06:cf:85:ec:89:96:3c:a8:73:c7:a1:30:c2:8b
Jan  7 22:46:17 host.lan sshd[5998]: Accepted publickey for user from 192.168.254.187 port 57062 ssh2

    It should be fairly straight forward to match the key fingerprint to the key and do what you want.

    • 8