Which SSH-Key was used for loggin in to a machine?

Latest response

Hello,

When a SSH-Public-Key-Authentication is successful, the file /var/log/secure shows entries similar to this one:

Jun 13 15:31:09 hostname sshd[22293]: Accepted publickey for root from X.X.X.X port 55943 ssh2: RSA cd:33:39:38:f7:e3:49:b1:a6:3f:8d:8f:cc:69:d7:c3

I like to know which public key was used for the login. Is there any way to connect the RSA fingerprint/hash to the corresponding ssh-public-key?

Thanks in advance for your help.

Best regards,
Joerg K.

Jörg Kastning's picture
Log in to join the conversation

Responses

Jörg Kastning's picture Expert 1223 points
17 June 2016 12:49 PM

And hello again,

I have found a solution that works for me.

The SSH-Keys of our organisation unit are stored in the same directory. I wrote a short bash script to generate the rsa fingerprint of each key and comare it to the fingerprint found in /var/log/secure. If there is a match, the script prints the matching key to standard output.

Here is the script (description and output in german language):

#!/bin/bash
# Beschreibung:
# Dieses Skript gleicht einen RSA-Hash aus dem Log /var/log/secure mit den
# vorhandenen SSH-Public-Keys ab. Bei Uebereinstimmung wird der entsprechende
# Key ausgegeben.
#
# Der RSA-Hash wird dem Skript als Argument uebergeben.
#
# Autor: Joerg Kastning <joerg.kastning(aet)uni-bielefeld(punkt)de>

# Hauptteil #######################################################
rsa_fprint="$1"
printf "RSA-Fingerprint:\n${rsa_fprint}\n\n"
for key in *.pub
do
  tmp1=`/usr/bin/ssh-keygen -lf ${key}`
  set - $tmp1
  tmp2=`echo "$2"`
  if [[ "${rsa_fprint}" = "${tmp2}" ]]
  then
    printf "Der zugehoerige SSH-Key lautet:\n${tmp1}\n"
    exit 0
  fi
done
printf "Es wurde kein SSH-Key gefunden, welcher zu dem uebergebenen RSA-Fingerprint passt."
exit 0

Regards, Joerg K.

R. Hinton's picture Guru 6827 points
17 June 2016 3:45 PM

Joerg, do any of the accounts you're checking use dsa ssh keys?

Jörg Kastning's picture Expert 1223 points
20 June 2016 6:04 AM

No, today we use rsa ssh keys only. But I think it should be possible to change the given script to work with dsa fingerprints as well.

I'm not sure but ssh-keygen -lf should be able to generate a dsa fingerprint as well, shouldn't it?

R. Hinton's picture Guru 6827 points
17 June 2016 4:10 PM

Joerg, another option (that I think is a bit heavy-handed) is to add this to your sshd_config file:

LogLevel VERBOSE

That being said, it is probably not a good idea to keep that persistently unless there's a compelling reason with mitigations for the output you'll receive as a consequence. I would be surprised if there is not a cleaner way to do this. The output of the DSA or RSA key that's found during ssh-key logins will then be put into /var/log/messages (I just tested it).

  • From another system, ssh with established ssh keys to the server you've configured the sshd_config file, but first do a tail -f /var/log/messages /var/log/secure such as below to watch the output as you test from one system to the system you've edited the sshd_config file
On the server you have "LogLevel VERBOSE" run the command and then from the other system, ssh using the ssh keys: 
tail -f /var/log/messages /var/log/secure

And then output such as this will appear (I tested rhel6/7)

==> /var/log/messages <==
Jun 17 21:33:55 workstationx sshd[102911]: Connection from [ip address] port [theport]
Jun 17 21:33:55 workstationx sshd[102911]: Failed none for jimmyhoffa from [ip address] port [theport] ssh2
Jun 17 21:33:55 workstationx sshd[102911]: Found matching DSA key: [fingerprint] 

## and in rhel7
Jun 17 21:33:55 workstationx systemd: # New session [number] of user jimmyhoffa@example.com   
Jun 17 21:33:55 workstationx systemd: # Starting session [number] of user jimmyhoffa@example.com   
<output truncated>

==> /var/log/secure <==
## a log entry should appear here (it does for mine) noting it accepted a publickey for whatever user

ADDED: You can then have a perl script or something read the file, and match it against the list of ssh key fingerprints you have harvested. However, when I looked at my logs, it listed the user along with the fingerprint within a few lines of the output. There's a chance some people may keep their ssh keys in an atypical location.

ADDED MORE: Remember to restart the sshd daemon after editing the sshd_config file (if you go that route)

R. Hinton's picture Guru 6827 points
17 June 2016 5:56 PM

The last bit I mentioned will show the user, not just the fingerprint of the ssh key

Jörg Kastning's picture Expert 1223 points
20 June 2016 6:13 AM

Hi,

Thank you for your suggestions. You wrote that there is a chance some people may keep their ssh keys in an atypical location. In my environment the have to store their public keys in a defined location. Otherwise their keys would not be deployed to the target host.

I'd like to go without setting the loglevel to verbose. But thanks for your idea anyway.

Best regards, Joerg K.

R. Hinton's picture Guru 6827 points
20 June 2016 5:16 PM

Hi Joerg,

yes, as I mentioned, that method is heavy-handed and I'd only use it temporarily. It seems from your last reply that you have an ssh key deployment method of some sort (no need to define), so that probably averts someone using DSA keys. Your script only checked for RSA keys.

Kind Regards, R Hinton

Jörg Kastning's picture Expert 1223 points
21 June 2016 7:09 AM

Hi,

You are right. We have a deployment method and use rsa keys only.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.