Created
March 21, 2023 15:45
-
-
Save TomCan/7e96e6134faa2ef6d3d6fa6da0f78390 to your computer and use it in GitHub Desktop.
Match SSH key fingerprints from auth.log with authorized_keys file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Get loglines from /var/log/auth.log containing accepted SSH key hashes. | |
# Then match that hash with the keys in the users' authorized_keys file. | |
# | |
# Caveats: | |
# - Expects specific format of auth.log, only tested on Debian | |
# - Expects authorized_keys to be in .ssh/authorized_keys in user homefolder | |
# - Uses eval to get home folder (potentially insecure) | |
# | |
while read -r D1 D2 D3 U K; do | |
echo -n "$D1 $D2 $D3 $U " | |
ssh-keygen -l -f $(eval echo ~$U)/.ssh/authorized_keys | grep "$K" | |
done <<EOF | |
$(grep "Accepted publickey for" /var/log/auth.log | awk '{print $1, $2, $3, $9, $16}') | |
EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment