Hi, I typically have logcheck send me anomalous logs. In the last week, all Debian 10 machines (I know, I know, upgrade needed) started logging this whenever I logged in from a particular other host by SSH:
2024-01-27T07:59:42.003881+00:00 t.example.com sshd[12319]: Postponed publickey for root from 2001:db8:1f1:f0c2::2 port 37032 ssh2 [preauth] 2024-01-27T07:59:42.017777+00:00 t.example.com sshd[12319]: Accepted publickey for root from 2001:db8:1f1:f0c2::2 port 37032 ssh2: RSA SHA256:iC8C78UYVJdr+bsqV1hbtBFuft6KHi0b8i308Zn0C9o 2024-01-27T07:59:42.020718+00:00 t.example.com sshd[12319]: pam_unix(sshd:session): session opened for user root by (uid=0) 2024-01-27T07:59:42.033599+00:00 t.example.com systemd-logind[1729]: New session 18604 of user root. (host names and IPv6 addresses are made up as not relevant here) As you can see, this login was successful. What I had not seen before was the line: 2024-01-27T07:59:42.003881+00:00 t.example.com sshd[12319]: Postponed publickey for root from 2001:db8:1f1:f0c2::2 port 37032 ssh2 [preauth] This only happens when I log in as root using a public key, i.e. ssh -i /path/to/pubkey r...@t.example.com (though in reality a script doing this, but I can replicate the same when doing it manually). The "postponed" line doesn't happen when I log in by key as my own user. What is actually happening there to cause that line to be logged then? Is it possibly something to do with my ssh-agent having another key that would allow that to work, but it waits to use the key specified on the ssh command line? I am not aware of any change made in the last week or two that would cause this to start happening, although I did reboot the client host (2001:db8:1f1:f0c2::2 here) in that time frame so possibly my ssh-agent environment has changed in some way. Thanks, ]Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting