Logging public key access in SSH daemon

Wanted to remove SSH password access and shift towards public key authentication in SSH, some of the sys-ops log in with generic accounts like 'ops' so for security auditing we could either a) create separate login accounts or let staff generate their own private keys with their own pass-phrases and add their public id/key to ~/.ssh/authorized_keys.

Only problem with this was that the authlog would report that ops logged in at 12:00 but wouldn't id which public key was used in authentication.

Only way I found to fix this was to set the LogLevel to DEBUG1 in /etc/ssh/sshd_config

When you restart SSHD the auth-log will show something like:

Oct 27 09:40:17 myhost sshd[6164]: [ID 800047 auth.info] Failed none for ops from 192.168.1.4 port 1223 ssh2
Oct 27 09:40:17 myhost sshd[6164]: [ID 800047 auth.info] Found matching RSA key: ca:fe:ed:ca:fe:ed:ce:fe:ed:ca:fe:ed:ca:fe:ed:ec

This shows that public key with id of "ca:fe:ed:ca:fe:ed:ce:fe:ed:ca:fe:ed:ca:fe:ed:ec" was used to authenticate the ops user.

If you want to see which user has this id you can use ssh-keygen -l on the user's authorized_keys file, e.g. for "ops" it would be.

ssh-keygen -l -f /home/username/.ssh/authorized_keys

So all you need to do is match the key Id in the ssh log with the above output and you know which user authenticated.  Note You will need to ensure that a comment is entered into each public key that you add you the authorised keys file.