$ Linux One Liners
Back to commands

Cybersecurity Triage

Read-only, sensitive output

Show Accepted SSH Logins

You need to find successful SSH public-key logins in an auth log.

Command

grep 'Accepted publickey' logs/auth.log

Before you run this

System impact: Read-only. Output may expose users, paths, tokens, keys, IPs, process arguments, or log details.

When not to use it: Do not assume password logins are absent unless you also search other Accepted patterns.

Expected output

Accepted public-key login lines including user and source IP.

System impact

Read-only, sensitive output. Nothing changes. The command filters successful public-key login lines.

Recovery / rollback: no state is changed.

When to use it

Use when building a quick access timeline or checking unexpected SSH access.

When not to use it

Do not assume password logins are absent unless you also search other Accepted patterns.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ grep 'sshd' logs/auth.log

Jun 25 12:00:01 vps sshd[1001]: Failed password for invalid user admin from 203.0.113.44 port 51122 ssh2
Jun 25 12:00:03 vps sshd[1002]: Failed password for root from 203.0.113.44 port 51124 ssh2
Jun 25 12:01:10 vps sshd[1003]: Failed password for deploy from 198.51.100.77 port 41002 ssh2
Jun 25 12:02:44 vps sshd[1004]: Accepted publickey for alex from 198.51.100.20 port 50222 ssh2

$ grep 'Accepted publickey' logs/auth.log

Jun 25 12:02:44 vps sshd[1004]: Accepted publickey for alex from 198.51.100.20 port 50222 ssh2
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. grep 'sshd' logs/auth.log
  2. grep 'Accepted publickey' logs/auth.log

next steps

Related commands

Cybersecurity Triage Sensitive output

Show Successful Logins and sudo Use

Access reviews need both who logged in and who elevated privileges.

grep -E 'Accepted publickey|sudo:' fixtures/user-access-audit/logs/auth.log
Cybersecurity Triage Sensitive output

List Accepted SSH Login Sources

Successful SSH logins are the access events worth anchoring first.

awk '/Accepted publickey/ {print $1, $2, $3, $9, $11}' logs/auth.log
Cybersecurity Triage Sensitive output

Summarize SSH Auth Outcomes

SSH logs get easier to read once accepted and failed methods are counted.

awk '/sshd/ && /Accepted/ {print "accepted", $7} /sshd/ && /Failed password/ {print "failed", "password"} /sshd/ && /Failed publickey/ {print "failed", "publickey"}' logs/auth.log | sort | uniq -c | sort -nr
Cybersecurity Triage Sensitive output

Show Recent sudo Commands

Privilege use is one of the fastest first-response signals.

grep 'sudo:' logs/auth.log | tail -n 10
Cybersecurity Triage Sensitive output

Show Failed SSH Public-Key Users

A failed public-key attempt often points to stale keys or the wrong account.

awk '/Failed publickey/ {print $9, $11}' logs/auth.log | sort | uniq -c | sort -nr
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:109-networking
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:networking
  • lfcs:security-hygiene
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • linuxplus:security
  • risk:read-only
  • risk:security-sensitive

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.