问题描述
在~/.ssh/authorized_keys中放了一堆公钥
那怎么知道某个用户登录时使用了哪个公钥呢?
解决办法
第一步、查看日志,找到密钥指纹
查看SSH的日志(两种方式皆可):
# journalctl -f -u ssh.service
# grep RSA /var/log/auth.log
# grep RSA /var/log/auth.log
在日志中你可以看到如下信息:
Accepted publickey for root from 1.2.3.4 port 5678 ssh2: RSA 73:ce:74:a3:13:8f:75:e6:f9:77:7b:17:8b:c5:b7:a2
后面的73:ce:74:a3:13:8f:75:e6:f9:77:7b:17:8b:c5:b7:a2就是指纹,公钥的指纹。
第二步、打印所有公钥的指纹
执行如下命令:
#!/bin/sh
p="$(mktemp)"
cat ~/.ssh/authorized_keys | \
while IFS="$(printf '\n')" read key
do
echo $key > $p
ssh-keygen -lf $p
done
rm -f $p
第三步、肉眼对比
差不多得了,用眼看看吧。实在不行就GREP过滤一下。
参考文献
Is it possible to get OpenSSH to log the public key that was used in authentication?
Can I find out which ssh key was used to access an account?
Log key fingerprints used to login via SSH