$ Linux One Liners
Back to lessons

Cybersecurity Triage

Risk: safe

List Accepted SSH Login Sources

You need to list accepted SSH public-key logins with user and source IP.

Command

awk '/Accepted publickey/ {print $1, $2, $3, $9, $11}' logs/auth.log

Before you run this

Risk: safe. Do not assume these are the only access events unless you also search for password, keyboard-interactive, and other Accepted patterns.

Expected output

Accepted SSH login rows with date, time, user, and source IP.

System impact

Nothing changes. The command reads auth.log and prints timestamp, username, and source IP from accepted public-key events.

Recovery / rollback: no state is changed.

When to use it

Use when building an SSH access timeline or checking which accounts had successful key-based logins.

When not to use it

Do not assume these are the only access events unless you also search for password, keyboard-interactive, and other Accepted patterns.

Watch this command run

Example output from a temporary Linux lab

This example uses disposable sample files and sanitized output so you can inspect the shape of the result before touching a real system.

demo@lab:~$

$ grep 'Accepted publickey' logs/auth.log

Jun 25 10:01:41 vps sshd[111]: Accepted publickey for alice from 198.51.100.20 port 61422 ssh2: ED25519 SHA256:alicekey
Jun 25 10:04:22 vps sshd[121]: Accepted publickey for deploy from 198.51.100.21 port 60444 ssh2: ED25519 SHA256:deploykey

$ awk '/Accepted publickey/ {print $1, $2, $3, $9, $11}' logs/auth.log

Jun 25 10:01:41 alice 198.51.100.20
Jun 25 10:04:22 deploy 198.51.100.21
View reproducible demo details

This page shows the sanitized shell transcript and the setup steps needed to reproduce the example.

Lab setup steps

  1. grep 'Accepted publickey' logs/auth.log
  2. awk '/Accepted publickey/ {print $1, $2, $3, $9, $11}' logs/auth.log

next steps

Related commands

Cybersecurity Triage Risk: safe

Summarize SSH Auth Outcomes

SSH logs get easier to read once accepted and failed methods are counted.

awk '/sshd/ && /Accepted/ {print "accepted", $7} /sshd/ && /Failed password/ {print "failed", "password"} /sshd/ && /Failed publickey/ {print "failed", "publickey"}' logs/auth.log | sort | uniq -c | sort -nr
Cybersecurity Triage Risk: safe

Show Accepted SSH Logins

During first response, successful logins matter more than background noise.

grep 'Accepted publickey' logs/auth.log
Cybersecurity Triage Risk: safe

Show Failed SSH Public-Key Users

A failed public-key attempt often points to stale keys or the wrong account.

awk '/Failed publickey/ {print $9, $11}' logs/auth.log | sort | uniq -c | sort -nr
Cybersecurity Triage Risk: safe

Show Successful Logins and sudo Use

Access reviews need both who logged in and who elevated privileges.

grep -E 'Accepted publickey|sudo:' fixtures/user-access-audit/logs/auth.log
Cybersecurity Triage Risk: safe

Count Failed SSH Login IPs

The loudest SSH source is usually visible with one count.

sed -n 's/.*Failed password .* from \([0-9.]*\) port.*/\1/p' logs/auth.log | sort | uniq -c | sort -nr
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:109-networking
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:networking
  • lfcs:security-hygiene
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • linuxplus:security
  • risk:read-only
  • risk:security-sensitive

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.