OpenSSH – Logging Public Key Used in Authentication

linuxloggingpublic-keyssh

I have a production system where several different people are allowed to log in to a single account – the account is for the application and not for the person as we don't have personal accounts on production servers.

For auditing purposes I want to be able to tell who logged in at what time, and as we use SSH keys to log in it seems logical to track that (as there is no other identifier to track).

When SSH authenticates a user, it logs the user name to the system's security log, but it does not log which of the authorized public keys was used in the log in. Is it possible to get OpenSSH to also report which public key was used, or maybe just the comment associated with that key?

The operating system being used is CentOS 5.6, but I'd like to also hear if its possible on other operating systems.

Best Answer

If you raise the LogLevel to VERBOSE in your configuration file (/etc/sshd/sshd_config or similar) it will log the fingerprint of the public key used to authenticate the user.

LogLevel VERBOSE

Then you get messages like this:

Jul 19 11:23:13 centos sshd[13431]: Connection from 192.168.1.104 port 63529
Jul 19 11:23:13 centos sshd[13431]: Found matching RSA key: 54:a2:0a:cf:85:ef:89:96:3c:a8:93:c7:a1:30:c2:8b
Jul 19 11:23:13 centos sshd[13432]: Postponed publickey for user from 192.168.1.104 port 63529 ssh2
Jul 19 11:23:13 centos sshd[13431]: Found matching RSA key: 54:a2:0a:cf:85:ef:89:96:3c:a8:93:c7:a1:30:c2:8b
Jul 19 11:23:13 centos sshd[13431]: Accepted publickey for user from 192.168.1.104 port 63529 ssh2

You can use:

 ssh-keygen -lf /path/to/public_key_file

to get the fingerprint of a particular public key.

Related Topic