Last active
February 13, 2017 17:33
-
-
Save dannyhw/b7e837cc9b82f2990343f6ec06f33e0c to your computer and use it in GitHub Desktop.
Gets recent RSA key signatures from in /var/log/auth.log and matches them to RSA key comments. If comments contain the users identity you can see who has recently logged in via ssh using RSA for authentication.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env ruby | |
require 'set' | |
user_key_pairs = {} | |
File.open(ENV['HOME'] + '/.ssh/authorized_keys').each do |public_key| | |
file_name = public_key.split(' ')[2] + '.pub_key' | |
key_file = File.new(file_name, 'w') | |
key_file.puts public_key | |
key_file.close | |
key_sig_user = `ssh-keygen -l -f #{file_name}` | |
rsa_signature = key_sig_user.split(' ')[1] | |
rsa_public_comment = key_sig_user.split(' ')[2] | |
user_key_pairs[rsa_signature] = rsa_public_comment | |
system("rm #{file_name}") | |
end | |
recent_logins = `sudo tail /var/log/auth.log -n 200 | grep RSA | | |
awk '\{print $16\}'` | |
signatures = recent_logins.split("\n") | |
puts signatures.uniq.map{|signature| user_key_pairs[signature]}.join(', ') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Will generate a file for each public key in the authorised keys file so it's best to run this from within a folder.