Logging in to an SSH server as root is a no-no in many organizations because they want to be able to audit which “real” user actually accessed the server. So a typical scenario is a user connects with a private key to the SSH server and then uses sudo to do “root” stuff.

I believe the default for SSH server’s configuration is to log things with a level of INFO, which creates the following entry in a system’s log when I log in:

Accepted publickey for jpm from port 50441 ssh2

Henk Jan Agteresch tells us to change the log-level to VERBOSE in order to record the fingerprint of the public key used for authentication. Indeed, if I change that setting in sshd_config to LogLevel VERBOSE, I see:

Connection from port 50471
Found matching RSA key: 06:15:01:9b:ed:f3:ec:6b:12:14:12:13:ab:01:4c:8f
Found matching RSA key: 06:15:01:9b:ed:f3:ec:6b:12:14:12:13:ab:01:4c:8f
Accepted publickey for jpm from port 50471 ssh2

Those fingerprints indeed match my key: (I’m assuming the duplicate entry is a bug.)

ssh-keygen -l
2048 06:15:01:9b:ed:f3:ec:6b:12:14:12:13:ab:01:4c:8f /home/jpm/.ssh/id_rsa.pub (RSA)

My key’s fingerprint is also logged thusly when I attemt to login as “root”.

If an administrator keeps a record of users’ key fingerprints (s)he can easily determine which user accessed the server. This record can be kept in any convenient database, or if you use and LDAP directory server for user information, why not store the fingerprints in a multi-valued attribute type in the directory, allowing easy retrieval of user information from the key fingerprints? Just a thought.

Martin Schmitt has a utility which parses logfiles for key fingerprints and determines the username from users’ authorized_keys files in their home directories (on the same machine).