[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-user
Subject:    Re: ssh key used for login
From:       <tomas () tuxteam ! de>
Date:       2020-08-07 19:02:23
Message-ID: 20200807190223.GA32198 () tuxteam ! de
[Download RAW message or body]


On Fri, Aug 07, 2020 at 07:09:34PM +0200, Rainer Dorsch wrote:
> Am Freitag, 7. August 2020, 17:47:31 CEST schrieb john doe:
> > On 8/7/2020 5:07 PM, Rainer Dorsch wrote:
> > > Hi,
> > > 
> > > can anybody tell if there is a way to find out the ssh key (out of the
> > > ones
> > > listed in authorized keys) was used for login to the current session?
> > 
> > Try to increase the log verbosity to 'debug[1|2|3]'.
> > 
> 
> Thanks for the reply, but it seems my question was not precise enough.
> 
> I want to find it out in a script which runs on the server, e.g.
> 
> ssh server.domain myscript.sh
> 
> Is there a way to find out in myscript.sh which ssh key was used for login. 
> 
> There are a number of ssh environment vars, but none of them contains the ssh 
> key (or even better the "user label" after the public key):
> 
> declare -x SHLVL="1" 
> declare -x SSH_CLIENT="192.168.7.203 56018 22" 
> declare -x SSH_CONNECTION="192.168.7.203 56018 192.168.7.1 22" 
> declare -x SSH_TTY="/dev/pts/2"

The ssh(1) man page says, in the section "ENVIRONMENT":

  SSH_USER_AUTH  Optionally set by sshd(8), this variable may contain
                 a pathname to a file that lists the authentication
                 methods successfully used when the session was established,
                 including any public keys that were used.

so you need to convince sshd to do that trick for you. In sshd_config, you have

  ExposeAuthInfo
          Writes a temporary file containing a list of authentication
          methods and public credentials (e.g. keys) used to authenticate
          the user.  The location of the file is exposed to the user
          session through the SSH_USER_AUTH environment variable.  The
          default is no.

So perhaps those are the bricks you need. Note that I haven't tried it out.

Cheers
 - t

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]