How to Log Public Key Fingerprints in OpenSSH for Enhanced Auditing


1 views

In enterprise environments, it's common to have shared service accounts where multiple administrators authenticate using SSH keys. While OpenSSH logs successful authentication events, it doesn't natively record which specific public key was used from the authorized_keys file. This creates an audit trail gap when you need to identify individual users accessing a shared account.

The solution lies in OpenSSH's LogLevel directive. By modifying the sshd_config file, we can capture detailed key information:

# /etc/ssh/sshd_config
LogLevel VERBOSE

This configuration makes SSH log the full public key fingerprint in auth.log/messages:

May 15 10:23:12 server sshd[12345]: Accepted publickey for appuser from 192.168.1.100 port 54321 ssh2: RSA SHA256:AbCdEfGhIjKlMnOpQrStUvWxYz0123456789

For better readability, combine with custom logging in authorized_keys:

# ~/.ssh/authorized_keys
command="echo date '+%Y-%m-%d %H:%M:%S' $SSH_ORIGINAL_COMMAND >> /var/log/ssh_key_audit.log" ssh-rsa AAAAB3... comment=jsmith@laptop
command="echo date '+%Y-%m-%d %H:%M:%S' $SSH_ORIGINAL_COMMAND >> /var/log/ssh_key_audit.log" ssh-ed25519 BBBBCC... comment=mjones@workstation

For distributed systems, consider these approaches:

  • Configure rsyslog to forward SSH logs to a central SIEM
  • Use auditd rules to track key-based logins:
# /etc/audit/rules.d/ssh.rules
-w /etc/ssh/sshd_config -p wa -k sshd_config
-w /var/log/auth.log -p wa -k ssh_auth

Here's a complete working configuration for CentOS/RHEL:

# 1. Configure sshd
echo "LogLevel VERBOSE" >> /etc/ssh/sshd_config

# 2. Create custom logging script
cat > /usr/local/bin/ssh_key_logger.sh <<'EOF'
#!/bin/bash
echo "$(date) - User: $USER, Key: $(echo $SSH_PUBKEY | cut -d' ' -f3-)" >> /var/log/ssh_key_audit.log
exec "$@"
EOF

# 3. Modify authorized_keys
sed -i 's/^ssh-/command="\/usr\/local\/bin\/ssh_key_logger.sh" &/' ~/.ssh/authorized_keys

# 4. Restart services
systemctl restart sshd

In production environments where multiple administrators share a single system account (common in legacy systems or specific application contexts), traditional SSH logging falls short. The default OpenSSH configuration logs successful authentications but doesn't record which specific public key was used among several authorized_keys entries.

The solution lies in OpenSSH's LogLevel directive. Add this to your /etc/ssh/sshd_config:


LogLevel VERBOSE
# Or for more detail:
# LogLevel DEBUG

This will make sshd log key fingerprints in auth.log/secure. Restart sshd after making changes:


service sshd restart
# Or on systemd systems:
# systemctl restart sshd

With VERBOSE logging enabled, you'll see entries like:


Oct 10 14:23:12 server sshd[1234]: Accepted publickey for appuser from 192.168.1.100 port 54322 ssh2: RSA SHA256:AbCdEfGhIjKlMnOpQrStUvWxYz1234567890

For more human-readable tracking, modify your authorized_keys file to include identifiable comments:


ssh-rsa AAAAB3... comment="admin_john_doe"
ssh-rsa AAAAB4... comment="dev_team_lead"

Then create a custom log format by adding to sshd_config:


Match User appuser
    ForceCommand echo "Login by $(echo $SSH_ORIGINAL_COMMAND) with key $(grep "$(cat ~/.ssh/authorized_keys | grep -v ^# | grep "$(echo $SSH_CONNECTION | cut -d' ' -f1)" | cut -d' ' -f3-)" ~/.ssh/authorized_keys | cut -d' ' -f3-)" >> /var/log/ssh_auth.log

For enterprise environments, consider these approaches:

  1. Configure syslog to forward auth.log to a central server
  2. Use auditd rules to track SSH key usage
  3. Implement a PAM module like pam_ssh_agent_auth for granular tracking

Remember that:

  • VERBOSE logging may increase log volume
  • Key comments shouldn't contain sensitive information
  • Regularly rotate and audit authorized_keys files