Re: Determining the key used to establish an SSH connection

From: smn (nospam@smnolde.com)
Date: 10/28/02 

From: smn <nospam@smnolde.com>
Date: Mon, 28 Oct 2002 20:44:51 GMT

Jean wrote:
> How can we determine which key (from $HOME/.ssh/authorized_keys) has been
> used to establish a particular SSH connection?
> At connection time the syslog facility for SSH just seems to log the login
> name and the remote IP address.
>
> The purpose would be to detect the usage of the same key from different IP
> addresses at the same time (which we would want to prohibit at our site).
>
> OpenSSH version is:
> OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
>
> TIA

While DEBUG is too verbose, you can specify
    LogLevel VERBOSE
and you'll see the key as well as some other info.

Set up syslog.conf to catch ths stuff to it's own file:
!sshd
*.* /var/log/sshd.log

Then create the logfile
# touch /var/log/sshd.log

HUP syslogd
# kill -HUP `ps ax|grep syslogd|awk '{print $1}'`

Oct 28 15:38:05 gw sshd[11527]: Accepted publickey for scott from
192.168.10.7 port 1278 ssh2
Oct 28 15:38:15 gw sshd[11531]: Connection from 192.168.10.7 port 1279
Oct 28 15:38:15 gw sshd[11531]: Enabling compatibility mode for protocol 2.0
Oct 28 15:38:15 gw sshd[11531]: Failed none for scott from 192.168.10.7
port 1279 ssh2
Oct 28 15:38:15 gw sshd[11531]: Found matching DSA key:
d4:66:c4:6a:6b:fb:d5:2a:d7:49:62:11:96:e0:c8:94
Oct 28 15:38:15 gw sshd[11531]: Found matching DSA key:
d4:66:c4:6a:6b:fb:d5:2a:d7:49:62:11:96:e0:c8:94
Oct 28 15:38:15 gw sshd[11531]: Accepted publickey for scott from
192.168.10.7 port 1279 ssh2
Oct 28 15:38:31 gw sshd[11533]: Connection closed by remote host.
Oct 28 15:38:31 gw sshd[11533]: Closing connection to 192.168.10.7

- smn

Relevant Pages

  • Re: Determining the key used to establish an SSH connection
    ... in sshd_config does the trick. ... > used to establish a particular SSH connection? ... > At connection time the syslog facility for SSH just seems to log the login ...
    (comp.security.ssh)
  • Re: SSH Connection Time Problems
    ... > FreeBSD 4.5-Stable box to my web hosting company's servers, ... It takes over a minute to establish a connection, ... I was able to get an SSH connection directly to them ... Try adding the following rule to your IPFW rule set. ...
    (FreeBSD-Security)
  • Re: Somewhat OT -- Looking for ideas on how to test status of SSH TCP tunnel
    ... > I am planning on setting up a TCP tunnel through an SSH connection ... > This tunnel will be used to provide a connection between a Perforce ... > The OS for Korean proxy server will be Redhat FC3 using OpenSSH. ...
    (Fedora)
  • Re: ipfw, natd, and keep-state - strange behavior?
    ... > # Deny ACK packets that did not match the dynamic rule table ... initiating an ssh connection with an external ... > the rule for my external ip, though, only gets the lifetime value from the ... > when i remove the word "setup" from rule 640, though, ssh connection does ...
    (FreeBSD-Security)
  • Somewhat OT -- Looking for ideas on how to test status of SSH TCP tunnel
    ... I am planning on setting up a TCP tunnel through an SSH connection ... tunnel will be used to provide a connection between a Perforce Proxy ... server in Korea and our main Perforce server in the US. ...
    (Fedora)