Picture this scenario. You just configured SSH key-based authentication in your Linux server. And then, you decided to disable password-based authentication completely and allow only key-based authentication to all users. Before disabling the password authentication, you'd like to verify which users are still using passwords to access the server via SSH. How are going to do that? Well, it is possible! This brief guide explains how to find if a user is using password-based or key-based SSH authentication in Linux.
Find if a user is using password-based or key-based SSH authentication
We can identify whether a user is logged-in to a Linux server via SSH using password or ssh key. It is not 100% reliable and guaranteed way, but it is still a good approach.
First, check if the ~/.ssh/authorized_keys
file is exist. Because, in SSH key-based authentication method, the SSH public key should be uploaded to the systems that you want to access via SSH. The public keys will usually be stored in a file called ~/.ssh/authorized_keys
in the remote systems. If this file is exist, there are chances that the user is probably using Key-based authentication.
Next, check the authentication log files to verify which authentication method the user is currently using to access the remote system. The auth method is logged in "/var/log/secure"
file on RPM-based systems (E.g. CentOS), "/var/log/auth.log"
file on DEB-based systems (E.g. Ubuntu).
Just look for the password entry in the authentication log files using grep command or any other ways you prefer.
$ grep 'password' /var/log/secure
Or,
$ grep 'password' /var/log/auth.log
Sample output:
[...] May 8 10:40:36 ostechnix sshd[3303]: Accepted password for senthil from 192.168.225.37 port 41990 ssh2 May 8 10:40:56 ostechnix sshd[3405]: Accepted password for sk from 192.168.225.37 port 41992 ssh2
Did you notice the lines "Accepted password for ..." in the above output? It means that the user is accessing the remote systems using password. As per the above output, the users "senthil" and "sk" are accessing the remote system using ssh password authentication.
If the user uses key-based authentication, you probably would see an output like below:
May 8 10:40:56 ostechnix sshd[3405]: Accepted publickey for sk from 192.168.225.37 port 41992 ssh2
Of course, it is bit difficult if the log file is very long with large number of entries. In that case, use "tail"
command to view particular number of log files.
For example, the following command will only display the last 10 entries of the log file:
$ grep 'password' /var/log/auth.log | tail -n 10
Sample output:
May 8 10:21:49 ostechnix sshd[2135]: Accepted password for senthil from 192.168.225.37 port 41920 ssh2 May 8 10:21:57 ostechnix sshd[2222]: Accepted password for sk from 192.168.225.37 port 41922 ssh2 May 8 10:24:57 ostechnix sshd[2360]: Accepted password for senthil from 192.168.225.37 port 41924 ssh2 May 8 10:25:04 ostechnix sshd[2448]: Accepted password for sk from 192.168.225.37 port 41926 ssh2 May 8 10:29:40 ostechnix sshd[2663]: Accepted password for senthil from 192.168.225.37 port 41938 ssh2 May 8 10:29:55 ostechnix sshd[2765]: Accepted password for sk from 192.168.225.37 port 41940 ssh2 May 8 10:39:34 ostechnix sshd[3064]: Accepted password for senthil from 192.168.225.37 port 41986 ssh2 May 8 10:39:55 ostechnix sshd[3184]: Accepted password for sk from 192.168.225.37 port 41988 ssh2 May 8 10:40:36 ostechnix sshd[3303]: Accepted password for senthil from 192.168.225.37 port 41990 ssh2 May 8 10:40:56 ostechnix sshd[3405]: Accepted password for sk from 192.168.225.37 port 41992 ssh2
You can also use -f
flag to follow the log as you test.
$ grep 'password' /var/log/auth.log | tail -f -n 10
If you want to check the whole log file for finding "password" entries page by page, use "less"
command:
$ grep 'password' /var/log/auth.log | less
To find all logs related to sshd
(success or failed attempts), replace "password" with "sshd" in the all above commands.
$ grep 'sshd' /var/log/auth.log | tail -n 10
Other SSH Related guides:
- Allow Or Deny SSH Access To A Particular User Or Group In Linux
- Limit The Number Of SSH Logins Per User/Group/System
- Restrict Access To Linux Servers Using TCP Wrappers
- Execute Commands On Remote Linux Systems Via SSH
- How To Create SSH Alias In Linux
- How To SSH Into A Particular Directory On Linux
- SSLH – Share A Same Port For HTTPS And SSH
- ScanSSH – Fast SSH Server And Open Proxy Scanner
- How To Resume Partially Transferred Files Over SSH Using Rsync
- How To Run Single Command On Multiple Remote Systems At Once
- DSH – Run A Linux Command On Multiple Hosts At A Time
- How To Stop SSH Session From Disconnecting In Linux
- How To Enable SSH On FreeBSD
Hope this helps.