Cybersecurity Triage
Read-only, sensitive outputInventory SSH authorized_keys
You need to list authorized key files and identify the key type plus comment for each entry.
Command
find home -path '*/.ssh/authorized_keys' -exec awk '{print FILENAME, $1, $NF}' {} +Before you run this
System impact: Read-only. Output may expose users, paths, tokens, keys, IPs, process arguments, or log details.
When not to use it: Do not delete keys from this output alone; confirm the comment, owner, fingerprint, and current dependency first.
Expected output
Each authorized_keys entry with its file path, key type, and comment.
System impact
Read-only, sensitive output. Nothing changes. The command reads authorized_keys files and prints the source file, key type, and trailing comment.
Recovery / rollback: no state is changed.
When to use it
Use during SSH access inventory, account handoff, or before removing a user's key-based access.
When not to use it
Do not delete keys from this output alone; confirm the comment, owner, fingerprint, and current dependency first.
Explanation-only example
Illustrated output, not a live lab run
This example is intentionally illustrative. It shows the command shape without killing real processes or changing your machine.
$ find home -path '*/ssh-keys/authorized_keys' -printf '%m %p\n' | sort
600 home/alice/ssh-keys/authorized_keys
600 home/deploy/ssh-keys/authorized_keys
644 home/bob/ssh-keys/authorized_keys$ find home -path '*/ssh-keys/authorized_keys' -exec awk '{print FILENAME, $1, $NF}' {} +
home/deploy/ssh-keys/authorized_keys ssh-ed25519 deploy-ci-2026
home/bob/ssh-keys/authorized_keys ssh-rsa bob-old-laptop
home/alice/ssh-keys/authorized_keys ssh-ed25519 alice-laptop-2026
home/alice/ssh-keys/authorized_keys ssh-rsa breakglass-ticket-4821View commands shown
These are the commands shown in the sanitized transcript.
Commands shown
find home -path '*/.ssh/authorized_keys' -printf '%m %p\n' | sortfind home -path '*/.ssh/authorized_keys' -exec awk '{print FILENAME, $1, $NF}' {} +
next steps
Related commands
Summarize SSH Authorized Key Types
Key inventory gets more useful when old key types stand out.
find home -path '*/.ssh/authorized_keys' -exec awk '{print $1}' {} + | sort | uniq -c | sort -nr
Find SSH Key Users with sudo
The highest-priority access review starts where SSH keys and sudo overlap.
comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
Count authorized_keys by User
authorized_keys is the practical SSH access list.
find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -exec sh -c 'for f do user=$(basename "$(dirname "$(dirname "$f")")"); keys=$(grep -vc "^[[:space:]]*#" "$f"); printf "%s %s %s\n" "$user" "$keys" "$f"; done' sh {} + | sort
Find SSH Keys for nologin Users
A nologin shell does not automatically mean SSH keys are irrelevant.
comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
Find Loose authorized_keys Modes
SSH key access files should not be looser than intended.
find home -path '*/.ssh/authorized_keys' -printf '%m %p\n' | awk '$1 > 600'
Study mapping
Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.
Useful for
- LPIC-1 style command-line practice
- LFCS style performance tasks
- Linux+ style troubleshooting review
Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.