Home Secure Shell (SSH) How To Find If A User Is Using Password-based Or Key-based SSH Authentication In Linux

How To Find If A User Is Using Password-based Or Key-based SSH Authentication In Linux

By sk
Published: Updated: 8.9K views

Picture this scenario. You just configured SSH key-based authentication in your Linux server. And then, you decided to disable password-based authentication completely and allow only key-based authentication to all users. Before disabling the password authentication, you'd like to verify which users are still using passwords to access the server via SSH. How are going to do that? Well, it is possible! This brief guide explains how to find if a user is using password-based or key-based SSH authentication in Linux.

Find if a user is using password-based or key-based SSH authentication

We can identify whether a user is logged-in to a Linux server via SSH using password or ssh key. It is not 100% reliable and guaranteed way, but it is still a good approach.

First, check if the ~/.ssh/authorized_keys file is exist. Because, in SSH key-based authentication method, the SSH public key should be uploaded to the systems that you want to access via SSH. The public keys will usually be stored in a file called ~/.ssh/authorized_keys in the remote systems. If this file is exist, there are chances that the user is probably using Key-based authentication.

Next, check the authentication log files to verify which authentication method the user is currently using to access the remote system. The auth method is logged in "/var/log/secure" file on RPM-based systems (E.g. CentOS), "/var/log/auth.log" file on DEB-based systems (E.g. Ubuntu).

Just look for the password entry in the authentication log files using grep command or any other ways you prefer.

$ grep 'password' /var/log/secure

Or,

$ grep 'password' /var/log/auth.log

Sample output:

[...]
May  8 10:40:36 ostechnix sshd[3303]: Accepted password for senthil from 192.168.225.37 port 41990 ssh2
May  8 10:40:56 ostechnix sshd[3405]: Accepted password for sk from 192.168.225.37 port 41992 ssh2
Find if a user is using password-based or key-based SSH authentication in Linux
Find if a user is using password-based or key-based SSH authentication in Linux

Did you notice the lines "Accepted password for ..." in the above output? It means that the user is accessing the remote systems using password. As per the above output, the users "senthil" and "sk" are accessing the remote system using ssh password authentication.

If the user uses key-based authentication, you probably would see an output like below:

May 8 10:40:56 ostechnix sshd[3405]: Accepted publickey for sk from 192.168.225.37 port 41992 ssh2

Of course, it is bit difficult if the log file is very long with large number of entries. In that case, use "tail" command to view particular number of log files.

For example, the following command will only display the last 10 entries of the log file:

$ grep 'password' /var/log/auth.log | tail -n 10

Sample output:

May  8 10:21:49 ostechnix sshd[2135]: Accepted password for senthil from 192.168.225.37 port 41920 ssh2
May  8 10:21:57 ostechnix sshd[2222]: Accepted password for sk from 192.168.225.37 port 41922 ssh2
May  8 10:24:57 ostechnix sshd[2360]: Accepted password for senthil from 192.168.225.37 port 41924 ssh2
May  8 10:25:04 ostechnix sshd[2448]: Accepted password for sk from 192.168.225.37 port 41926 ssh2
May  8 10:29:40 ostechnix sshd[2663]: Accepted password for senthil from 192.168.225.37 port 41938 ssh2
May  8 10:29:55 ostechnix sshd[2765]: Accepted password for sk from 192.168.225.37 port 41940 ssh2
May  8 10:39:34 ostechnix sshd[3064]: Accepted password for senthil from 192.168.225.37 port 41986 ssh2
May  8 10:39:55 ostechnix sshd[3184]: Accepted password for sk from 192.168.225.37 port 41988 ssh2
May  8 10:40:36 ostechnix sshd[3303]: Accepted password for senthil from 192.168.225.37 port 41990 ssh2
May  8 10:40:56 ostechnix sshd[3405]: Accepted password for sk from 192.168.225.37 port 41992 ssh2

You can also use -f flag to follow the log as you test.

$ grep 'password' /var/log/auth.log | tail -f -n 10

If you want to check the whole log file for finding "password" entries page by page, use "less" command:

$ grep 'password' /var/log/auth.log | less

To find all logs related to sshd (success or failed attempts), replace "password" with "sshd" in the all above commands.

$ grep 'sshd' /var/log/auth.log | tail -n 10

Hope this helps.

You May Also Like

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More