auth – Ryan Schulze

How to find the fingerprints of public keys in authorized_keys

August 15, 2012September 27, 2014Ryanauth, authorized_keys, bash, fingerprint, ssh, ssh keys

If you use keys for SSH authentication (and you should) then you have probably run into the situation that the auth.log shows that someone logged in, even which local user was used (e.g. root), but you have no idea which of the keys in ~/.ssh/autorized_keys was used. The first step you can do to see what is going on, is increasing the log level of the SSH daemon:

/etc/ssh/sshd_config

LogLevel VERBOSE

1	LogLevel VERBOSE

That will spit out the fingerprint of the SSH key used to log in. Example log entry for a successful login:

Aug 15 11:47:40 security sshd[1924]: Connection from 192.168.199.1 port 39648
Aug 15 11:47:41 security sshd[1924]: Found matching DSA key: df:45:12:ea:d2:92:a2:42:aa:ba:25:1a:90:82:1a:1c
Aug 15 11:47:41 security sshd[1924]: Postponed publickey for root from 192.168.199.1 port 39648 ssh2 [preauth]
Aug 15 11:47:42 security sshd[1924]: Found matching DSA key: df:45:12:ea:d2:92:a2:42:aa:ba:25:1a:90:82:1a:1c
Aug 15 11:47:42 security sshd[1924]: Accepted publickey for root from 192.168.199.1 port 39648 ssh2
Aug 15 11:47:42 security sshd[1924]: pam_unix(sshd:session): session opened for user root by (uid=0)

Aug 15 11:47:40 security sshd[1924]: Connection from 192.168.199.1 port 39648

Aug 15 11:47:41 security sshd[1924]: Found matching DSA key: df:45:12:ea:d2:92:a2:42:aa:ba:25:1a:90:82:1a:1c

Aug 15 11:47:41 security sshd[1924]: Postponed publickey for root from 192.168.199.1 port 39648 ssh2 [preauth]

Aug 15 11:47:42 security sshd[1924]: Found matching DSA key: df:45:12:ea:d2:92:a2:42:aa:ba:25:1a:90:82:1a:1c

Aug 15 11:47:42 security sshd[1924]: Accepted publickey for root from 192.168.199.1 port 39648 ssh2

Aug 15 11:47:42 security sshd[1924]: pam_unix(sshd:session): session opened for user root by (uid=0)

Now that we have the fingerprint of the ssh key used to login, we will need ssh-keygen to spit out the fingerprints of the public keys in ~/.ssh/authorized_keys to be able to compare them. So I wrote a little wrapper called ssh-fingerprint.sh around ssh-keygen to feed it all the public keys from authorized_keys (if you want you can even fit the whole while loop as a oneliner):

#!/bin/bash 
initialize() { #{{{
	# Treat unset variables as an error
	set -o nounset
	tempfile=$(mktemp)
	authorized_keys="${HOME}/.ssh/authorized_keys"
	trap cleanup TERM EXIT # clean up if script exits
} #}}}

cleanup() { #{{{
	rm -f ${tempfile}
	exit 0
} #}}}

#===============================================================================
# Main
#===============================================================================
initialize

if [ ! -e ${authorized_keys} ]
then
	echo -e "\nERROR: ${authorized_keys} file not found\n"
	exit 
fi

while read line
do 
	echo "${line}" &gt;  ${tempfile}
	ssh-keygen -l -f ${tempfile}
done &lt; ${authorized_keys}

#!/bin/bash

initialize() { #{{{

# Treat unset variables as an error

set -o nounset

tempfile=$(mktemp)

authorized_keys="${HOME}/.ssh/authorized_keys"

trap cleanup TERM EXIT # clean up if script exits

} #}}}

cleanup() { #{{{

rm -f ${tempfile}

exit 0

} #}}}

#===============================================================================

# Main

#===============================================================================

initialize

if [ ! -e ${authorized_keys} ]

then

echo -e "\nERROR: ${authorized_keys} file not found\n"

exit

while read line

echo "${line}" > ${tempfile}

ssh-keygen -l -f ${tempfile}

done < ${authorized_keys}