ssh-keycheck is a tool that gives you a quick overview of all authorized
ssh keys on your server and their last use and usage count. This may be
helpful for manual key expiration.
This tool does not attempt to change anything. All files are opened in read-only mode.
Download the latest package from the releases page.
tar xvf ssh-keycheck.tar.gz
sudo cp ssh-keycheck /usr/local/bin
# Add setuid flag to allow execution of ssh-keycheck without sudo
sudo chown root:root /usr/local/bin/ssh-keycheck
sudo chmod u+s /usr/local/bin/ssh-keycheckPlease inform yourself about setuid before setting it.
~$ ssh-keycheck -help
Usage of ssh-keycheck:
-csv
Print table as CSV (RFC 4180) using RFC 3339 for dates
-fingerprint-md5
Show fingerprint (MD5) column
-fingerprint-sha256
Show fingerprint (SHA256) column
-help
Show help and exit
-insecure
List only insecure keys
-secure
List only secure keys
-unused int
List only keys more than x days not used
-used int
List only keys used in the last x days
-user string
List only keys with matching user name
-version
Show version and exit
~$ ssh-keycheck
USER COMMENT TYPE SECURITY LAST USE COUNT LAST IP
root rsa-key-20170101 RSA-4096 ok never - -
root rsa-key-20170102 DSA insecure 9 minutes ago 3 10.0.0.10
Found 2 keys from 1 user. 1 key is insecure.
- Read all users from
/etc/passwd - Read
~/.ssh/authorized_keysfile from each user's home directory - Read all
/var/log/auth.log*files and search for Accepted publickey - Match public keys to logs
You may need to change your /etc/ssh/sshd_config in order to enable the
required log messages:
LogLevel VERBOSE
The log files under /var/log require root rights.
Requires a recent Go version (only tested with Go >=1.9)
go get github.com/syxolk/ssh-keycheck
The column SECURITY gives a hint whether the key algorithm is
insecure or became deprecated. The following algorithms are currently
considered insecure: