Tracking logins with sshd logs

Published on:

Instead of having everyone log in with separate user account, you could just have everyone use a different key pair. Then set LogLevel in /etc/ssh/sshd_config to VERBOSE. Logs will look like this.

Jun 24 22:43:42 localhost sshd[29779]: Found matching RSA key: d8:d5:f3:5a:7e:27:42:91:e6:a5:e6:9e:f9:fd:d3:ce
Jun 24 22:43:42 localhost sshd[29779]: Accepted publickey for caleb from 127.0.0.1 port 59630 ssh2

http://unix.stackexchange.com/questions/15575/can-i-find-out-which-ssh-key-was-used-to-access-an-account