Cybersecurity Triage

List Accepted SSH Login Sources

You need to list accepted SSH public-key logins with user and source IP.

Command

awk '/Accepted publickey/ {print $1, $2, $3, $9, $11}' logs/auth.log

What changed

Nothing changes. The command reads auth.log and prints timestamp, username, and source IP from accepted public-key events.

Danger

safe

When to use it

Use when building an SSH access timeline or checking which accounts had successful key-based logins.

When not to use it

Do not assume these are the only access events unless you also search for password, keyboard-interactive, and other Accepted patterns.

Undo or recovery

No undo needed because this command is read-only.

Expected output

Accepted SSH login rows with date, time, user, and source IP.

demo script

Disposable terminal steps

grep 'Accepted publickey' logs/auth.log
awk '/Accepted publickey/ {print $1, $2, $3, $9, $11}' logs/auth.log

Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel

::fixture-ready::
$ grep 'Accepted publickey' logs/auth.log
Jun 25 10:01:41 vps sshd[111]: Accepted publickey for alice from 198.51.100.20 port 61422 ssh2: ED25519 SHA256:alicekey
Jun 25 10:04:22 vps sshd[121]: Accepted publickey for deploy from 198.51.100.21 port 60444 ssh2: ED25519 SHA256:deploykey
::exit-code::0
$ awk '/Accepted publickey/ {print $1, $2, $3, $9, $11}' logs/auth.log
Jun 25 10:01:41 alice 198.51.100.20
Jun 25 10:04:22 deploy 198.51.100.21
::exit-code::0

YouTube Short

List accepted SSH sources.

Start SSH triage with accepted logins. Print the timestamp, account, and source IP before chasing failed noise.

experiments

A/B tests to run

Metric: watch_time

A: Accepted SSH sources.

B: Start with successful access.