How to check SSH authorized keys in Linux

SSH public keys listed in authorized_keys provide passwordless authentication, so a single unexpected key can grant silent, persistent access to an account. Regularly reviewing allowed keys helps detect unauthorized access and reduces lockouts caused by permission or ownership changes.

The OpenSSH server (sshd) checks a user’s configured authorized-keys file during public-key authentication and compares the incoming key against each entry. Each non-comment line can include key options, a key type, the base64 key material, and an optional comment that typically identifies the device or owner.

Key-based authentication is ignored when the key file or .ssh directory has unsafe permissions, and the key location can be overridden by AuthorizedKeysFile or replaced entirely by AuthorizedKeysCommand in /etc/ssh/sshd_config. Removing or editing entries can immediately break access for automation and administrators, so maintain a verified recovery path (console or out-of-band) before making changes.

1. List the .ssh directory and authorized_keys file for the account.

   $ sudo -u user ls -l /home/user/.ssh
   total 16
   -rw------- 1 user user  575 Jan 11 13:43 authorized_keys
   -rw------- 1 user user 2610 Jan 11 13:43 id_rsa
   -rw-r--r-- 1 user user  575 Jan 11 13:43 id_rsa.pub
   -rw-r--r-- 1 user user  142 Jan 11 13:43 known_hosts
   $ sudo -u user ls -l /home/user/.ssh/authorized_keys
   -rw------- 1 user user 575 Jan 11 13:43 /home/user/.ssh/authorized_keys

   Replace user with the target account name, and expect permissions like 700 for ~/.ssh and 600 for authorized_keys.

2. Show the effective sshd authorized-keys settings.

   $ sudo sshd -T | grep -E '^(authorizedkeysfile|authorizedkeyscommand|authorizedkeyscommanduser)[[:space:]]'
   authorizedkeyscommand none
   authorizedkeyscommanduser none
   authorizedkeysfile .ssh/authorized_keys .ssh/authorized_keys2

   A non-none AuthorizedKeysCommand indicates keys may be sourced outside of ~/.ssh/authorized_keys.

3. Display the authorized_keys file with line numbers for manual review.

   $ sudo -iu user -- bash -c 'nl -ba ~/.ssh/authorized_keys'
        1	ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCaCwOaH9aRjwiHXjJaTESy9eWvURjbguGlz92x1PNTpbWTcPOcsTa4HLe6fazNsSm7NW1zcr+OxfxUAYYHHZ6EtvQEw330HNbebdVBVu36kJ+vV8tfJEnnOzUl9N51IOnlsLB6IcJn5bIfdYK9ttWqcd0vz2rsF2jtHa6WDqlVrtfdqzGbeSHZ3tLktOUl4qxdxoWl57A0vV0qlHNl2udYAkeOS3AcCnCO1JUottQRKURprYHf4EnEQapGm5YHV3dPiky2dRJFfnY2yM+sLfGDuPr4wd8PQUNJJZ+M6RHagUmpeWpJMbDmZQgZe+nuOB8UZ+nwYJkNZmy+O7F8C5Ym3hh/2W62slCucFwozvRn87UVsG6R0aoHvN0KZP4GO/Yx6HQ/kxEzVa6flRuxAu5ja3q4rhGdzt4+6AvlPAsToB5eHqzft3fYTsn3TiRh3elNt8R7TC3oeQp/5GAFSyEQs1TYuhhnv7ay6Ll/RmE3GPMaeTQtk6up1Nn9hlmyGY8= user@host.example.net

4. Review key fingerprints stored in the file.

   $ sudo -iu user -- bash -c 'ssh-keygen -lf ~/.ssh/authorized_keys'
   3072 SHA256:c58zGznw+wLtL7axZCUOpKm1/Oi/GJ3df7dUrAa9o0M user@host.example.net (RSA)

5. Find entries that use authorized_keys options such as command= or from=.

   $ sudo -iu user -- bash -c 'grep -nE \"(^|,)(command=|from=|permitopen=|environment=)\" ~/.ssh/authorized_keys'

   No output here indicates no option-constrained keys; any matches should be reviewed for intended restrictions.

6. Check the file modification and change times.

   $ sudo -iu user -- bash -c 'stat ~/.ssh/authorized_keys'
     File: /home/user/.ssh/authorized_keys
     Size: 575       	Blocks: 8          IO Block: 4096   regular file
   Device: 0,64	Inode: 211214      Links: 1
   Access: (0600/-rw-------)  Uid: ( 1001/    user)   Gid: ( 1001/    user)
   Access: 2026-01-11 13:46:35.612512006 +0000
   Modify: 2026-01-11 13:43:10.529416008 +0000
   Change: 2026-01-11 13:46:22.162512000 +0000
    Birth: 2026-01-11 13:43:10.529416008 +0000

7. Locate authorized_keys files across common home directories.

   $ sudo find /home /root -path '*/.ssh/authorized_keys' -type f -printf '%p\n' | sort
   /home/user/.ssh/authorized_keys

8. Identify authorized_keys files that are group- or world-writable.

   $ sudo find /home /root -path "*/.ssh/authorized_keys" -type f -perm /022 -printf '%m %u %g %p\n' | sort

   No output indicates no writable keys were found, and any writable authorized_keys can be replaced by another user or ignored by sshd, causing unexpected access or lockouts.