Unexpected entries in authorized_keys can keep SSH access open after a password change, laptop replacement, automation handoff, or staff offboarding. Checking the effective key source and the listed fingerprints shows which public keys sshd can still accept for a Linux account.
OpenSSH normally reads user keys from ~/.ssh/authorized_keys, but AuthorizedKeysFile can point to additional files and AuthorizedKeysCommand can pull keys from an external command or directory service. Printing the effective sshd configuration for the target account keeps Match blocks and alternate key sources from being missed.
The checks are read-only, but the follow-up decision is access-sensitive. StrictModes can reject a key file when path ownership or permissions are too loose, and deleting the wrong line can lock out administrators, backup jobs, or deployment automation that still depend on that key.
Related: How to investigate a Linux intrusion
$ getent passwd deploy deploy:x:1001:1001::/home/deploy:/bin/bash
Replace deploy with the account being audited. The sixth field is the home directory used for relative AuthorizedKeysFile paths such as .ssh/authorized_keys.
$ sudo sshd -T -C user=deploy,host=server.example.net,addr=192.0.2.10,laddr=192.0.2.20,lport=22 port 22 ##### snipped ##### pubkeyauthentication yes strictmodes yes ##### snipped ##### authorizedkeyscommand none authorizedkeyscommanduser none ##### snipped ##### authorizedkeysfile .ssh/authorized_keys .ssh/authorized_keys2 ##### snipped #####
The -C context applies matching Match rules before sshd prints the final configuration. If AuthorizedKeysCommand is not none, audit that command as another source of accepted public keys.
$ sudo namei -l /home/deploy/.ssh/authorized_keys f: /home/deploy/.ssh/authorized_keys drwxr-xr-x root root / drwxr-xr-x root root home drwxr-x--- deploy deploy deploy drwx------ deploy deploy .ssh -rw------- deploy deploy authorized_keys
With StrictModes yes, the account home directory must not be writable by group or others. The .ssh directory is usually 700, and the authorized_keys file is usually 600.
$ sudo cat /home/deploy/.ssh/authorized_keys from="192.0.2.10",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINaS2k7H3mqbDjmt/u2SeGeYNOFZZ0bb3GvyS/4N3HqO laptop-admin command="/usr/local/bin/backup-run",permitopen="127.0.0.1:5432" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGd3mOYWVN2yKkyrR7lwQampuvRhMK9j5y/1MAq4of13 backup-job
Each non-comment line contains optional key restrictions, the key type, the public key data, and an optional comment. Review options such as from=, command=, restrict, and permitopen= because they change how a key can be used.
$ sudo ssh-keygen -l -f /home/deploy/.ssh/authorized_keys 256 SHA256:uG223w+E3Z/EStUSiEV5mtgy5bTAtuWDh1vHEkSI1Mo laptop-admin (ED25519) 256 SHA256:D6wiu/fGztxjQI9+YhvrKotiSigWaZTZcIidnJtQPnA backup-job (ED25519)
Compare fingerprints with onboarding records, configuration management, or an incident inventory instead of relying on comments alone.
Tool: Secure Shell (SSH) Key Fingerprint Checker
$ sudo stat /home/deploy/.ssh/authorized_keys File: /home/deploy/.ssh/authorized_keys Size: 277 Blocks: 8 IO Block: 4096 regular file Access: (0600/-rw-------) Uid: ( 1001/ deploy) Gid: ( 1001/ deploy) Access: 2026-06-13 02:03:14.348596000 +0000 Modify: 2026-06-13 02:03:14.341596000 +0000 Change: 2026-06-13 02:03:14.343596000 +0000 Birth: 2026-06-13 02:03:14.339596000 +0000
Correlate unexpected modification times with login records, privilege changes, deployment runs, or account-management activity.
Related: How to check authentication logs in Linux