Hi folks, good morning/afternoon/evening ;) I'll try explain my doubt, but sorry for my english..
Can someone tell me if has a way to do SSHD log shows me "which" key has been accepted when logged as root ? Example: "May 31 15:15:17 lazlo sshd[12583]: Accepted publickey for root from 192.168.4.192 port 1835 ssh2" But ... which key has been accepted ? how can i audit something like it, if i have more than a single key on authorized_keys for root More info about one of my boxes: lazlo:~# cat /etc/debian_version 4.0 lazlo:~# uname -a Linux lazlo 2.6.18-4-amd64 #1 SMP Mon Mar 26 11:36:53 CEST 2007 x86_64 GNU/Linux lazlo:~# dpkg -l | grep ssh ii openssh-client 4.3p2-9 Secure shell client, an rlogin/rsh/rcp repla ii openssh-server 4.3p2-9 Secure shell server, an rshd replacement lazlo:~# telnet localhost 22 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-2.0-OpenSSH_4.3p2 Debian-9 Connection closed by foreign host. lazlo:~# grep -Ev '^$|^#' /etc/ssh/sshd_config Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key UsePrivilegeSeparation yes KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility AUTH LogLevel INFO LoginGraceTime 120 PermitRootLogin without-password StrictModes yes RSAAuthentication yes PubkeyAuthentication yes IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes lazlo:~# Best regards, Flávio do Carmo Junior
