Logging in to an SSH server as root is a no-no in many organizations because they want to be able to audit which "real" user actually accessed the server. So a typical scenario is a user connects with a private key to the SSH server and then uses sudo to do "root" stuff.
I believe the default for SSH server's configuration is to log things with a level of
INFO, which creates the following entry in a system's log when I log in:
Accepted publickey for jpm from 10.0.12.1 port 50441 ssh2
Henk Jan Agteresch tells us to change the log-level to
VERBOSE in order to record the fingerprint of the public key used for authentication. Indeed, if I change that setting in
LogLevel VERBOSE, I see:
Connection from 10.0.12.1 port 50471 Found matching RSA key: 06:15:01:9b:ed:f3:ec:6b:12:14:12:13:ab:01:4c:8f Found matching RSA key: 06:15:01:9b:ed:f3:ec:6b:12:14:12:13:ab:01:4c:8f Accepted publickey for jpm from 10.0.12.1 port 50471 ssh2
Those fingerprints indeed match my key: (I'm assuming the duplicate entry is a bug.)
ssh-keygen -l 2048 06:15:01:9b:ed:f3:ec:6b:12:14:12:13:ab:01:4c:8f /home/jpm/.ssh/id_rsa.pub (RSA)
My key's fingerprint is also logged thusly when I attemt to login as "root".
If an administrator keeps a record of users' key fingerprints (s)he can easily determine which user accessed the server. This record can be kept in any convenient database, or if you use and LDAP directory server for user information, why not store the fingerprints in a multi-valued attribute type in the directory, allowing easy retrieval of user information from the key fingerprints? Just a thought.
Martin Schmitt has a utility which parses logfiles for key fingerprints and determines the username from users'
authorized_keys files in their home directories (on the same machine).