Categories
Uncategorized

How to determine which key was used to login with OpenSSH

Determine which SSH key was used to perform key-based login using public key fingerprint.

Query systemd journal to check who logged into the system.

$ sudo journalctl  --unit ssh
-- Logs begin at Mon 2019-09-16 20:21:13 GMT, end at Mon 2019-09-16 22:05:38 GMT. --
Sep 16 20:21:14 buster systemd[1]: Starting OpenBSD Secure Shell server...
Sep 16 20:21:14 buster sshd[388]: Server listening on 0.0.0.0 port 22.
Sep 16 20:21:14 buster sshd[388]: Server listening on :: port 22.
Sep 16 20:21:14 buster systemd[1]: Started OpenBSD Secure Shell server.
Sep 16 20:22:10 buster sshd[408]: Accepted publickey for milosz from 10.0.2.2 port 38266 ssh2: RSA SHA256:1/ohac0qEWmKNeNEzwLljzqoGtH3UalTywhhf5nQTlM
Sep 16 20:22:10 buster sshd[408]: pam_unix(sshd:session): session opened for user milosz by (uid=0)
Sep 16 20:40:13 buster sshd[447]: Accepted publickey for milosz from 10.0.2.2 port 38496 ssh2: RSA SHA256:1/ohac0qEWmKNeNEzwLljzqoGtH3UalTywhhf5nQTlM
Sep 16 20:40:13 buster sshd[447]: pam_unix(sshd:session): session opened for user milosz by (uid=0)

The same information is stored in auth.log log file.

$ sudo cat /var/log/auth.log
[...]
Sep 16 20:21:14 buster sshd[388]: Server listening on 0.0.0.0 port 22.
Sep 16 20:21:14 buster sshd[388]: Server listening on :: port 22.
Sep 16 20:22:10 buster sshd[408]: Accepted publickey for milosz from 10.0.2.2 port 38266 ssh2: RSA SHA256:1/ohac0qEWmKNeNEzwLljzqoGtH3UalTywhhf5nQTlM
Sep 16 20:22:10 buster sshd[408]: pam_unix(sshd:session): session opened for user milosz by (uid=0)
Sep 16 20:22:10 buster systemd-logind[338]: New session 1 of user milosz.
Sep 16 20:22:10 buster systemd: pam_unix(systemd-user:session): session opened for user milosz by (uid=0)
[...]
Sep 16 20:40:13 buster sshd[447]: Accepted publickey for milosz from 10.0.2.2 port 38496 ssh2: RSA SHA256:1/ohac0qEWmKNeNEzwLljzqoGtH3UalTywhhf5nQTlM
Sep 16 20:40:13 buster sshd[447]: pam_unix(sshd:session): session opened for user milosz by (uid=0)
Sep 16 20:40:13 buster systemd-logind[338]: New session 3 of user milosz.
Sep 16 20:40:13 buster systemd: pam_unix(systemd-user:session): session opened for user milosz by (uid=0)
[...]

Inspect files containing public keys for public key authentication to match key used to to log into the system as specific user.

Inspect ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2 files for public keys.
$ ssh-keygen -l -f /home/milosz/.ssh/authorized_keys
2048 SHA256:1/ohac0qEWmKNeNEzwLljzqoGtH3UalTywhhf5nQTlM no comment (RSA)
2048 SHA256:zhtfNzhPXnPlXqkBVfiNq1SDB4FY4zGPOsL7zamH8w4 milosz@milosz-XPS-13-9343 (RSA)

Use this method to identify which key was used to perform key-based login as this can help you to identify the person behind it.

Additional notes

Use this command to display public key fingerprints for your own keys.

$ ssh-keygen -l -f ~/.ssh/milosz_local.pub
2048 SHA256:1/ohac0qEWmKNeNEzwLljzqoGtH3UalTywhhf5nQTlM no comment (RSA)