$ Linux One Liners
Back to commands

Cybersecurity Triage

Read-only, sensitive output

List Accepted SSH Login Sources

You need to list accepted SSH public-key logins with user and source IP.

Command

awk '/Accepted publickey/ {print $1, $2, $3, $9, $11}' logs/auth.log

Before you run this

System impact: Read-only. Output may expose users, paths, tokens, keys, IPs, process arguments, or log details.

When not to use it: Do not assume these are the only access events unless you also search for password, keyboard-interactive, and other Accepted patterns.

Expected output

Accepted SSH login rows with date, time, user, and source IP.

System impact

Read-only, sensitive output. Nothing changes. The command reads auth.log and prints timestamp, username, and source IP from accepted public-key events.

Recovery / rollback: no state is changed.

When to use it

Use when building an SSH access timeline or checking which accounts had successful key-based logins.

When not to use it

Do not assume these are the only access events unless you also search for password, keyboard-interactive, and other Accepted patterns.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ grep 'Accepted publickey' logs/auth.log

Jun 25 10:01:41 vps sshd[111]: Accepted publickey for alice from 198.51.100.20 port 61422 ssh2: ED25519 SHA256:alicekey
Jun 25 10:04:22 vps sshd[121]: Accepted publickey for deploy from 198.51.100.21 port 60444 ssh2: ED25519 SHA256:deploykey

$ awk '/Accepted publickey/ {print $1, $2, $3, $9, $11}' logs/auth.log

Jun 25 10:01:41 alice 198.51.100.20
Jun 25 10:04:22 deploy 198.51.100.21
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. grep 'Accepted publickey' logs/auth.log
  2. awk '/Accepted publickey/ {print $1, $2, $3, $9, $11}' logs/auth.log

next steps

Related commands

Cybersecurity Triage Sensitive output

Summarize SSH Auth Outcomes

SSH logs get easier to read once accepted and failed methods are counted.

awk '/sshd/ && /Accepted/ {print "accepted", $7} /sshd/ && /Failed password/ {print "failed", "password"} /sshd/ && /Failed publickey/ {print "failed", "publickey"}' logs/auth.log | sort | uniq -c | sort -nr
Cybersecurity Triage Sensitive output

Show Accepted SSH Logins

During first response, successful logins matter more than background noise.

grep 'Accepted publickey' logs/auth.log
Cybersecurity Triage Sensitive output

Show Failed SSH Public-Key Users

A failed public-key attempt often points to stale keys or the wrong account.

awk '/Failed publickey/ {print $9, $11}' logs/auth.log | sort | uniq -c | sort -nr
Cybersecurity Triage Sensitive output

Show Successful Logins and sudo Use

Access reviews need both who logged in and who elevated privileges.

grep -E 'Accepted publickey|sudo:' fixtures/user-access-audit/logs/auth.log
Cybersecurity Triage Sensitive output

Count Failed SSH Login IPs

The loudest SSH source is usually visible with one count.

sed -n 's/.*Failed password .* from \([0-9.]*\) port.*/\1/p' logs/auth.log | sort | uniq -c | sort -nr
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:109-networking
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:networking
  • lfcs:security-hygiene
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • linuxplus:security
  • risk:read-only
  • risk:security-sensitive

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.