I'm trying to track the last time a user logged into a Linux server with a certain key. So user secure has 5 keys in ~/.ssh/authorized_keys, how can I track when each key was used and what IP was used to access the server?
Ideally I would be able to see that Key 1 was last used 5 days ago from 127.0.0.1, Key 2 was used 10 mins ago from 10.0.0.5, Key 3 and 4 were never used, Key 5 was used 2 weeks ago from 8.8.8.8.
You need to increase the LogLevel in /etc/ssh/sshd_config to VERBOSE and restart sshd. This will cause sshd to log the fingerprint of the key being used to whichever log file your sshd is configured to use e.g.
Jan 7 22:46:17 host.lan sshd[5998]: Connection from 192.168.254.187 port 57062
Jan 7 22:46:17 host.lan sshd[5998]: Found matching RSA key: 54:d2:06:cf:85:ec:89:96:3c:a8:73:c7:a1:30:c2:8b
Jan 7 22:46:17 host.lan sshd[5998]: Found matching RSA key: 54:d2:06:cf:85:ec:89:96:3c:a8:73:c7:a1:30:c2:8b
Jan 7 22:46:17 host.lan sshd[5998]: Accepted publickey for user from 192.168.254.187 port 57062 ssh2
It should be fairly straight forward to match the key fingerprint to the key and do what you want.
