SSH user public key info












2















I want to find out which SSH user started my script on a server via SSH, i.e. which public key was used for the user to log in.



SSH_CONNECTION environment variable gives me the client's IP address.



I would also like to know which public key from authorized_keys was used and its comment (usually email).



I am looking for a solution without fiddling with sshd and its logs, so that I would not need to set up the target servers. The only thing known for sure is that the script is run on Ubuntu servers. Also my user doesn't have sudo rights.










share|improve this question























  • As the user can't sudo, are they logging in as their OWN user? if so, then why not just look at the user whom started the process? If not, you need to look at the time the shell the user is logged into started, and align that with a login entry in the sshd log.

    – djsmiley2k
    Dec 17 '17 at 19:49











  • "I want to find out which SSH user started my script on a server via SSH, i.e. which public key was used for the user to log in." Are you saying that multiple people share a single SSH user account?

    – grawity
    Dec 17 '17 at 21:44











  • > Are you saying that multiple people share a single SSH user account? Yes

    – warvariuc
    Dec 18 '17 at 6:27
















2















I want to find out which SSH user started my script on a server via SSH, i.e. which public key was used for the user to log in.



SSH_CONNECTION environment variable gives me the client's IP address.



I would also like to know which public key from authorized_keys was used and its comment (usually email).



I am looking for a solution without fiddling with sshd and its logs, so that I would not need to set up the target servers. The only thing known for sure is that the script is run on Ubuntu servers. Also my user doesn't have sudo rights.










share|improve this question























  • As the user can't sudo, are they logging in as their OWN user? if so, then why not just look at the user whom started the process? If not, you need to look at the time the shell the user is logged into started, and align that with a login entry in the sshd log.

    – djsmiley2k
    Dec 17 '17 at 19:49











  • "I want to find out which SSH user started my script on a server via SSH, i.e. which public key was used for the user to log in." Are you saying that multiple people share a single SSH user account?

    – grawity
    Dec 17 '17 at 21:44











  • > Are you saying that multiple people share a single SSH user account? Yes

    – warvariuc
    Dec 18 '17 at 6:27














2












2








2


1






I want to find out which SSH user started my script on a server via SSH, i.e. which public key was used for the user to log in.



SSH_CONNECTION environment variable gives me the client's IP address.



I would also like to know which public key from authorized_keys was used and its comment (usually email).



I am looking for a solution without fiddling with sshd and its logs, so that I would not need to set up the target servers. The only thing known for sure is that the script is run on Ubuntu servers. Also my user doesn't have sudo rights.










share|improve this question














I want to find out which SSH user started my script on a server via SSH, i.e. which public key was used for the user to log in.



SSH_CONNECTION environment variable gives me the client's IP address.



I would also like to know which public key from authorized_keys was used and its comment (usually email).



I am looking for a solution without fiddling with sshd and its logs, so that I would not need to set up the target servers. The only thing known for sure is that the script is run on Ubuntu servers. Also my user doesn't have sudo rights.







linux ubuntu ssh public-key






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 17 '17 at 19:22









warvariucwarvariuc

815611




815611













  • As the user can't sudo, are they logging in as their OWN user? if so, then why not just look at the user whom started the process? If not, you need to look at the time the shell the user is logged into started, and align that with a login entry in the sshd log.

    – djsmiley2k
    Dec 17 '17 at 19:49











  • "I want to find out which SSH user started my script on a server via SSH, i.e. which public key was used for the user to log in." Are you saying that multiple people share a single SSH user account?

    – grawity
    Dec 17 '17 at 21:44











  • > Are you saying that multiple people share a single SSH user account? Yes

    – warvariuc
    Dec 18 '17 at 6:27



















  • As the user can't sudo, are they logging in as their OWN user? if so, then why not just look at the user whom started the process? If not, you need to look at the time the shell the user is logged into started, and align that with a login entry in the sshd log.

    – djsmiley2k
    Dec 17 '17 at 19:49











  • "I want to find out which SSH user started my script on a server via SSH, i.e. which public key was used for the user to log in." Are you saying that multiple people share a single SSH user account?

    – grawity
    Dec 17 '17 at 21:44











  • > Are you saying that multiple people share a single SSH user account? Yes

    – warvariuc
    Dec 18 '17 at 6:27

















As the user can't sudo, are they logging in as their OWN user? if so, then why not just look at the user whom started the process? If not, you need to look at the time the shell the user is logged into started, and align that with a login entry in the sshd log.

– djsmiley2k
Dec 17 '17 at 19:49





As the user can't sudo, are they logging in as their OWN user? if so, then why not just look at the user whom started the process? If not, you need to look at the time the shell the user is logged into started, and align that with a login entry in the sshd log.

– djsmiley2k
Dec 17 '17 at 19:49













"I want to find out which SSH user started my script on a server via SSH, i.e. which public key was used for the user to log in." Are you saying that multiple people share a single SSH user account?

– grawity
Dec 17 '17 at 21:44





"I want to find out which SSH user started my script on a server via SSH, i.e. which public key was used for the user to log in." Are you saying that multiple people share a single SSH user account?

– grawity
Dec 17 '17 at 21:44













> Are you saying that multiple people share a single SSH user account? Yes

– warvariuc
Dec 18 '17 at 6:27





> Are you saying that multiple people share a single SSH user account? Yes

– warvariuc
Dec 18 '17 at 6:27










2 Answers
2






active

oldest

votes


















1














This information isn't available to you by default. But it can be achieved in a couple of different ways.



As unprivileged user



You can make use of some of the features available in the authorized_keys file format. The feature I think is most useful to you is environment.



At the beginning of each line of authorized_keys in front of the key itself you put a string like this:



environment="SSH_KEY=name"


Where you substitute a different value for name on each line. This will set an environment variable called SSH_KEY when that particular line of authorized_keys is used for authentication. The full set of features you can make use of can be found using man sshd.



As system administrator



Enable the ExposeAuthInfo setting in sshd_config and reload the daemon. Then sshd will write the information you are looking for to a temporary file. The path to this file can be found in the SSH_USER_AUTH environment variable.



More information about such settings can be found using man sshd_config.






share|improve this answer

































    1














    /var/log/auth.log will contain en entry like:



    Accepted publickey for <userid> from <IP address> port 57762 ssh2: RSA SHA256: <43 random characters>


    The "random characters" are the fingerprint of the public key used. You can tell the fingerprints of the keys in your local authorized_keys file using:



    ssh-keygen -lf /home/user/.ssh/authorized_keys


    which lists the fingerprint of each key together with the key's comment (which is usually an email..)






    share|improve this answer



















    • 1





      Unfortunately, non-admin users don't have access to that file.

      – warvariuc
      Dec 18 '17 at 6:28











    • This answer is just what I needed. I am surprised that I found it on Super User and not Server Fault.

      – kasperd
      Jan 30 at 13:26











    • @warvariuc You are right, this does not answer your question. It is still a very useful answer, just not for your particular question. What you are looking for is an environment variable containing the same string that was written to the log. I don't know if such an environment variable exists.

      – kasperd
      Jan 30 at 13:29











    • @warvariuc I checked a couple of Ubuntu 18.04 systems. And no such environment variable exists by default. There is however a ExposeAuthInfo setting which is disabled by default, but could be enabled to achieve this. However I just recalled that there is another way to achieve this which doesn't require changes to sshd_config. I have written an answer detailing both solutions.

      – kasperd
      Jan 30 at 13:57












    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1277942%2fssh-user-public-key-info%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    This information isn't available to you by default. But it can be achieved in a couple of different ways.



    As unprivileged user



    You can make use of some of the features available in the authorized_keys file format. The feature I think is most useful to you is environment.



    At the beginning of each line of authorized_keys in front of the key itself you put a string like this:



    environment="SSH_KEY=name"


    Where you substitute a different value for name on each line. This will set an environment variable called SSH_KEY when that particular line of authorized_keys is used for authentication. The full set of features you can make use of can be found using man sshd.



    As system administrator



    Enable the ExposeAuthInfo setting in sshd_config and reload the daemon. Then sshd will write the information you are looking for to a temporary file. The path to this file can be found in the SSH_USER_AUTH environment variable.



    More information about such settings can be found using man sshd_config.






    share|improve this answer






























      1














      This information isn't available to you by default. But it can be achieved in a couple of different ways.



      As unprivileged user



      You can make use of some of the features available in the authorized_keys file format. The feature I think is most useful to you is environment.



      At the beginning of each line of authorized_keys in front of the key itself you put a string like this:



      environment="SSH_KEY=name"


      Where you substitute a different value for name on each line. This will set an environment variable called SSH_KEY when that particular line of authorized_keys is used for authentication. The full set of features you can make use of can be found using man sshd.



      As system administrator



      Enable the ExposeAuthInfo setting in sshd_config and reload the daemon. Then sshd will write the information you are looking for to a temporary file. The path to this file can be found in the SSH_USER_AUTH environment variable.



      More information about such settings can be found using man sshd_config.






      share|improve this answer




























        1












        1








        1







        This information isn't available to you by default. But it can be achieved in a couple of different ways.



        As unprivileged user



        You can make use of some of the features available in the authorized_keys file format. The feature I think is most useful to you is environment.



        At the beginning of each line of authorized_keys in front of the key itself you put a string like this:



        environment="SSH_KEY=name"


        Where you substitute a different value for name on each line. This will set an environment variable called SSH_KEY when that particular line of authorized_keys is used for authentication. The full set of features you can make use of can be found using man sshd.



        As system administrator



        Enable the ExposeAuthInfo setting in sshd_config and reload the daemon. Then sshd will write the information you are looking for to a temporary file. The path to this file can be found in the SSH_USER_AUTH environment variable.



        More information about such settings can be found using man sshd_config.






        share|improve this answer















        This information isn't available to you by default. But it can be achieved in a couple of different ways.



        As unprivileged user



        You can make use of some of the features available in the authorized_keys file format. The feature I think is most useful to you is environment.



        At the beginning of each line of authorized_keys in front of the key itself you put a string like this:



        environment="SSH_KEY=name"


        Where you substitute a different value for name on each line. This will set an environment variable called SSH_KEY when that particular line of authorized_keys is used for authentication. The full set of features you can make use of can be found using man sshd.



        As system administrator



        Enable the ExposeAuthInfo setting in sshd_config and reload the daemon. Then sshd will write the information you are looking for to a temporary file. The path to this file can be found in the SSH_USER_AUTH environment variable.



        More information about such settings can be found using man sshd_config.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Jan 30 at 13:55

























        answered Jan 30 at 13:39









        kasperdkasperd

        2,64111126




        2,64111126

























            1














            /var/log/auth.log will contain en entry like:



            Accepted publickey for <userid> from <IP address> port 57762 ssh2: RSA SHA256: <43 random characters>


            The "random characters" are the fingerprint of the public key used. You can tell the fingerprints of the keys in your local authorized_keys file using:



            ssh-keygen -lf /home/user/.ssh/authorized_keys


            which lists the fingerprint of each key together with the key's comment (which is usually an email..)






            share|improve this answer



















            • 1





              Unfortunately, non-admin users don't have access to that file.

              – warvariuc
              Dec 18 '17 at 6:28











            • This answer is just what I needed. I am surprised that I found it on Super User and not Server Fault.

              – kasperd
              Jan 30 at 13:26











            • @warvariuc You are right, this does not answer your question. It is still a very useful answer, just not for your particular question. What you are looking for is an environment variable containing the same string that was written to the log. I don't know if such an environment variable exists.

              – kasperd
              Jan 30 at 13:29











            • @warvariuc I checked a couple of Ubuntu 18.04 systems. And no such environment variable exists by default. There is however a ExposeAuthInfo setting which is disabled by default, but could be enabled to achieve this. However I just recalled that there is another way to achieve this which doesn't require changes to sshd_config. I have written an answer detailing both solutions.

              – kasperd
              Jan 30 at 13:57
















            1














            /var/log/auth.log will contain en entry like:



            Accepted publickey for <userid> from <IP address> port 57762 ssh2: RSA SHA256: <43 random characters>


            The "random characters" are the fingerprint of the public key used. You can tell the fingerprints of the keys in your local authorized_keys file using:



            ssh-keygen -lf /home/user/.ssh/authorized_keys


            which lists the fingerprint of each key together with the key's comment (which is usually an email..)






            share|improve this answer



















            • 1





              Unfortunately, non-admin users don't have access to that file.

              – warvariuc
              Dec 18 '17 at 6:28











            • This answer is just what I needed. I am surprised that I found it on Super User and not Server Fault.

              – kasperd
              Jan 30 at 13:26











            • @warvariuc You are right, this does not answer your question. It is still a very useful answer, just not for your particular question. What you are looking for is an environment variable containing the same string that was written to the log. I don't know if such an environment variable exists.

              – kasperd
              Jan 30 at 13:29











            • @warvariuc I checked a couple of Ubuntu 18.04 systems. And no such environment variable exists by default. There is however a ExposeAuthInfo setting which is disabled by default, but could be enabled to achieve this. However I just recalled that there is another way to achieve this which doesn't require changes to sshd_config. I have written an answer detailing both solutions.

              – kasperd
              Jan 30 at 13:57














            1












            1








            1







            /var/log/auth.log will contain en entry like:



            Accepted publickey for <userid> from <IP address> port 57762 ssh2: RSA SHA256: <43 random characters>


            The "random characters" are the fingerprint of the public key used. You can tell the fingerprints of the keys in your local authorized_keys file using:



            ssh-keygen -lf /home/user/.ssh/authorized_keys


            which lists the fingerprint of each key together with the key's comment (which is usually an email..)






            share|improve this answer













            /var/log/auth.log will contain en entry like:



            Accepted publickey for <userid> from <IP address> port 57762 ssh2: RSA SHA256: <43 random characters>


            The "random characters" are the fingerprint of the public key used. You can tell the fingerprints of the keys in your local authorized_keys file using:



            ssh-keygen -lf /home/user/.ssh/authorized_keys


            which lists the fingerprint of each key together with the key's comment (which is usually an email..)







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Dec 17 '17 at 21:06









            xenoidxenoid

            3,9573719




            3,9573719








            • 1





              Unfortunately, non-admin users don't have access to that file.

              – warvariuc
              Dec 18 '17 at 6:28











            • This answer is just what I needed. I am surprised that I found it on Super User and not Server Fault.

              – kasperd
              Jan 30 at 13:26











            • @warvariuc You are right, this does not answer your question. It is still a very useful answer, just not for your particular question. What you are looking for is an environment variable containing the same string that was written to the log. I don't know if such an environment variable exists.

              – kasperd
              Jan 30 at 13:29











            • @warvariuc I checked a couple of Ubuntu 18.04 systems. And no such environment variable exists by default. There is however a ExposeAuthInfo setting which is disabled by default, but could be enabled to achieve this. However I just recalled that there is another way to achieve this which doesn't require changes to sshd_config. I have written an answer detailing both solutions.

              – kasperd
              Jan 30 at 13:57














            • 1





              Unfortunately, non-admin users don't have access to that file.

              – warvariuc
              Dec 18 '17 at 6:28











            • This answer is just what I needed. I am surprised that I found it on Super User and not Server Fault.

              – kasperd
              Jan 30 at 13:26











            • @warvariuc You are right, this does not answer your question. It is still a very useful answer, just not for your particular question. What you are looking for is an environment variable containing the same string that was written to the log. I don't know if such an environment variable exists.

              – kasperd
              Jan 30 at 13:29











            • @warvariuc I checked a couple of Ubuntu 18.04 systems. And no such environment variable exists by default. There is however a ExposeAuthInfo setting which is disabled by default, but could be enabled to achieve this. However I just recalled that there is another way to achieve this which doesn't require changes to sshd_config. I have written an answer detailing both solutions.

              – kasperd
              Jan 30 at 13:57








            1




            1





            Unfortunately, non-admin users don't have access to that file.

            – warvariuc
            Dec 18 '17 at 6:28





            Unfortunately, non-admin users don't have access to that file.

            – warvariuc
            Dec 18 '17 at 6:28













            This answer is just what I needed. I am surprised that I found it on Super User and not Server Fault.

            – kasperd
            Jan 30 at 13:26





            This answer is just what I needed. I am surprised that I found it on Super User and not Server Fault.

            – kasperd
            Jan 30 at 13:26













            @warvariuc You are right, this does not answer your question. It is still a very useful answer, just not for your particular question. What you are looking for is an environment variable containing the same string that was written to the log. I don't know if such an environment variable exists.

            – kasperd
            Jan 30 at 13:29





            @warvariuc You are right, this does not answer your question. It is still a very useful answer, just not for your particular question. What you are looking for is an environment variable containing the same string that was written to the log. I don't know if such an environment variable exists.

            – kasperd
            Jan 30 at 13:29













            @warvariuc I checked a couple of Ubuntu 18.04 systems. And no such environment variable exists by default. There is however a ExposeAuthInfo setting which is disabled by default, but could be enabled to achieve this. However I just recalled that there is another way to achieve this which doesn't require changes to sshd_config. I have written an answer detailing both solutions.

            – kasperd
            Jan 30 at 13:57





            @warvariuc I checked a couple of Ubuntu 18.04 systems. And no such environment variable exists by default. There is however a ExposeAuthInfo setting which is disabled by default, but could be enabled to achieve this. However I just recalled that there is another way to achieve this which doesn't require changes to sshd_config. I have written an answer detailing both solutions.

            – kasperd
            Jan 30 at 13:57


















            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1277942%2fssh-user-public-key-info%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Plaza Victoria

            Puebla de Zaragoza

            Musa