SSH public keys listed in authorized_keys provide passwordless authentication, so a single unexpected key can grant silent, persistent access to an account. Regularly reviewing allowed keys helps detect unauthorized access and reduces lockouts caused by permission or ownership changes.
The OpenSSH server (sshd) checks a user’s configured authorized-keys file during public-key authentication and compares the incoming key against each entry. Each non-comment line can include key options, a key type, the base64 key material, and an optional comment that typically identifies the device or owner.
Key-based authentication is ignored when the key file or .ssh directory has unsafe permissions, and the key location can be overridden by AuthorizedKeysFile or replaced entirely by AuthorizedKeysCommand in /etc/ssh/sshd_config. Removing or editing entries can immediately break access for automation and administrators, so maintain a verified recovery path (console or out-of-band) before making changes.
$ sudo -u user ls -l /home/user/.ssh total 16 -rw------- 1 user user 575 Jan 11 13:43 authorized_keys -rw------- 1 user user 2610 Jan 11 13:43 id_rsa -rw-r--r-- 1 user user 575 Jan 11 13:43 id_rsa.pub -rw-r--r-- 1 user user 142 Jan 11 13:43 known_hosts $ sudo -u user ls -l /home/user/.ssh/authorized_keys -rw------- 1 user user 575 Jan 11 13:43 /home/user/.ssh/authorized_keys
Replace user with the target account name, and expect permissions like 700 for ~/.ssh and 600 for authorized_keys.
$ sudo sshd -T | grep -E '^(authorizedkeysfile|authorizedkeyscommand|authorizedkeyscommanduser)[[:space:]]' authorizedkeyscommand none authorizedkeyscommanduser none authorizedkeysfile .ssh/authorized_keys .ssh/authorized_keys2
A non-none AuthorizedKeysCommand indicates keys may be sourced outside of ~/.ssh/authorized_keys.
$ sudo -iu user -- bash -c 'nl -ba ~/.ssh/authorized_keys'
1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCaCwOaH9aRjwiHXjJaTESy9eWvURjbguGlz92x1PNTpbWTcPOcsTa4HLe6fazNsSm7NW1zcr+OxfxUAYYHHZ6EtvQEw330HNbebdVBVu36kJ+vV8tfJEnnOzUl9N51IOnlsLB6IcJn5bIfdYK9ttWqcd0vz2rsF2jtHa6WDqlVrtfdqzGbeSHZ3tLktOUl4qxdxoWl57A0vV0qlHNl2udYAkeOS3AcCnCO1JUottQRKURprYHf4EnEQapGm5YHV3dPiky2dRJFfnY2yM+sLfGDuPr4wd8PQUNJJZ+M6RHagUmpeWpJMbDmZQgZe+nuOB8UZ+nwYJkNZmy+O7F8C5Ym3hh/2W62slCucFwozvRn87UVsG6R0aoHvN0KZP4GO/Yx6HQ/kxEzVa6flRuxAu5ja3q4rhGdzt4+6AvlPAsToB5eHqzft3fYTsn3TiRh3elNt8R7TC3oeQp/5GAFSyEQs1TYuhhnv7ay6Ll/RmE3GPMaeTQtk6up1Nn9hlmyGY8= user@host.example.net
$ sudo -iu user -- bash -c 'ssh-keygen -lf ~/.ssh/authorized_keys' 3072 SHA256:c58zGznw+wLtL7axZCUOpKm1/Oi/GJ3df7dUrAa9o0M user@host.example.net (RSA)
$ sudo -iu user -- bash -c 'grep -nE \"(^|,)(command=|from=|permitopen=|environment=)\" ~/.ssh/authorized_keys'
No output here indicates no option-constrained keys; any matches should be reviewed for intended restrictions.
$ sudo -iu user -- bash -c 'stat ~/.ssh/authorized_keys' File: /home/user/.ssh/authorized_keys Size: 575 Blocks: 8 IO Block: 4096 regular file Device: 0,64 Inode: 211214 Links: 1 Access: (0600/-rw-------) Uid: ( 1001/ user) Gid: ( 1001/ user) Access: 2026-01-11 13:46:35.612512006 +0000 Modify: 2026-01-11 13:43:10.529416008 +0000 Change: 2026-01-11 13:46:22.162512000 +0000 Birth: 2026-01-11 13:43:10.529416008 +0000
$ sudo find /home /root -path '*/.ssh/authorized_keys' -type f -printf '%p\n' | sort /home/user/.ssh/authorized_keys
$ sudo find /home /root -path "*/.ssh/authorized_keys" -type f -perm /022 -printf '%m %u %g %p\n' | sort
No output indicates no writable keys were found, and any writable authorized_keys can be replaced by another user or ignored by sshd, causing unexpected access or lockouts.