Determine which SSH key was used to perform key-based login using public key fingerprint.
Query systemd journal to check who logged into the system.
$ sudo journalctl --unit ssh -- Logs begin at Mon 2019-09-16 20:21:13 GMT, end at Mon 2019-09-16 22:05:38 GMT. -- Sep 16 20:21:14 buster systemd[1]: Starting OpenBSD Secure Shell server... Sep 16 20:21:14 buster sshd[388]: Server listening on 0.0.0.0 port 22. Sep 16 20:21:14 buster sshd[388]: Server listening on :: port 22. Sep 16 20:21:14 buster systemd[1]: Started OpenBSD Secure Shell server. Sep 16 20:22:10 buster sshd[408]: Accepted publickey for milosz from 10.0.2.2 port 38266 ssh2: RSA SHA256:1/ohac0qEWmKNeNEzwLljzqoGtH3UalTywhhf5nQTlM Sep 16 20:22:10 buster sshd[408]: pam_unix(sshd:session): session opened for user milosz by (uid=0) Sep 16 20:40:13 buster sshd[447]: Accepted publickey for milosz from 10.0.2.2 port 38496 ssh2: RSA SHA256:1/ohac0qEWmKNeNEzwLljzqoGtH3UalTywhhf5nQTlM Sep 16 20:40:13 buster sshd[447]: pam_unix(sshd:session): session opened for user milosz by (uid=0)
The same information is stored in auth.log
log file.
$ sudo cat /var/log/auth.log [...] Sep 16 20:21:14 buster sshd[388]: Server listening on 0.0.0.0 port 22. Sep 16 20:21:14 buster sshd[388]: Server listening on :: port 22. Sep 16 20:22:10 buster sshd[408]: Accepted publickey for milosz from 10.0.2.2 port 38266 ssh2: RSA SHA256:1/ohac0qEWmKNeNEzwLljzqoGtH3UalTywhhf5nQTlM Sep 16 20:22:10 buster sshd[408]: pam_unix(sshd:session): session opened for user milosz by (uid=0) Sep 16 20:22:10 buster systemd-logind[338]: New session 1 of user milosz. Sep 16 20:22:10 buster systemd: pam_unix(systemd-user:session): session opened for user milosz by (uid=0) [...] Sep 16 20:40:13 buster sshd[447]: Accepted publickey for milosz from 10.0.2.2 port 38496 ssh2: RSA SHA256:1/ohac0qEWmKNeNEzwLljzqoGtH3UalTywhhf5nQTlM Sep 16 20:40:13 buster sshd[447]: pam_unix(sshd:session): session opened for user milosz by (uid=0) Sep 16 20:40:13 buster systemd-logind[338]: New session 3 of user milosz. Sep 16 20:40:13 buster systemd: pam_unix(systemd-user:session): session opened for user milosz by (uid=0) [...]
Inspect files containing public keys for public key authentication to match key used to to log into the system as specific user.
Inspect
~/.ssh/authorized_keys
and ~/.ssh/authorized_keys2
files for public keys.$ ssh-keygen -l -f /home/milosz/.ssh/authorized_keys 2048 SHA256:1/ohac0qEWmKNeNEzwLljzqoGtH3UalTywhhf5nQTlM no comment (RSA) 2048 SHA256:zhtfNzhPXnPlXqkBVfiNq1SDB4FY4zGPOsL7zamH8w4 milosz@milosz-XPS-13-9343 (RSA)
Use this method to identify which key was used to perform key-based login as this can help you to identify the person behind it.
Additional notes
Use this command to display public key fingerprints for your own keys.
$ ssh-keygen -l -f ~/.ssh/milosz_local.pub 2048 SHA256:1/ohac0qEWmKNeNEzwLljzqoGtH3UalTywhhf5nQTlM no comment (RSA)