Unexpected entries in authorized_keys can keep SSH access open after a password change, laptop replacement, automation handoff, or staff offboarding. Checking the effective key source and the listed fingerprints shows which public keys sshd can still accept for a Linux account.

OpenSSH normally reads user keys from ~/.ssh/authorized_keys, but AuthorizedKeysFile can point to additional files and AuthorizedKeysCommand can pull keys from an external command or directory service. Printing the effective sshd configuration for the target account keeps Match blocks and alternate key sources from being missed.

The checks are read-only, but the follow-up decision is access-sensitive. StrictModes can reject a key file when path ownership or permissions are too loose, and deleting the wrong line can lock out administrators, backup jobs, or deployment automation that still depend on that key.

Steps to check SSH authorized keys in Linux:

  1. Resolve the target account and home directory.
    $ getent passwd deploy
    deploy:x:1001:1001::/home/deploy:/bin/bash

    Replace deploy with the account being audited. The sixth field is the home directory used for relative AuthorizedKeysFile paths such as .ssh/authorized_keys.

  2. Print the effective sshd key lookup settings for that account.
    $ sudo sshd -T -C user=deploy,host=server.example.net,addr=192.0.2.10,laddr=192.0.2.20,lport=22
    port 22
    ##### snipped #####
    pubkeyauthentication yes
    strictmodes yes
    ##### snipped #####
    authorizedkeyscommand none
    authorizedkeyscommanduser none
    ##### snipped #####
    authorizedkeysfile .ssh/authorized_keys .ssh/authorized_keys2
    ##### snipped #####

    The -C context applies matching Match rules before sshd prints the final configuration. If AuthorizedKeysCommand is not none, audit that command as another source of accepted public keys.

  3. Check the ownership and permissions along the key file path.
    $ sudo namei -l /home/deploy/.ssh/authorized_keys
    f: /home/deploy/.ssh/authorized_keys
    drwxr-xr-x root   root   /
    drwxr-xr-x root   root   home
    drwxr-x--- deploy deploy deploy
    drwx------ deploy deploy .ssh
    -rw------- deploy deploy authorized_keys

    With StrictModes yes, the account home directory must not be writable by group or others. The .ssh directory is usually 700, and the authorized_keys file is usually 600.

  4. Read the authorized key lines.
    $ sudo cat /home/deploy/.ssh/authorized_keys
    from="192.0.2.10",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINaS2k7H3mqbDjmt/u2SeGeYNOFZZ0bb3GvyS/4N3HqO laptop-admin
    command="/usr/local/bin/backup-run",permitopen="127.0.0.1:5432" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGd3mOYWVN2yKkyrR7lwQampuvRhMK9j5y/1MAq4of13 backup-job

    Each non-comment line contains optional key restrictions, the key type, the public key data, and an optional comment. Review options such as from=, command=, restrict, and permitopen= because they change how a key can be used.

  5. Generate fingerprints for the listed keys.
    $ sudo ssh-keygen -l -f /home/deploy/.ssh/authorized_keys
    256 SHA256:uG223w+E3Z/EStUSiEV5mtgy5bTAtuWDh1vHEkSI1Mo laptop-admin (ED25519)
    256 SHA256:D6wiu/fGztxjQI9+YhvrKotiSigWaZTZcIidnJtQPnA backup-job (ED25519)

    Compare fingerprints with onboarding records, configuration management, or an incident inventory instead of relying on comments alone.
    Tool: Secure Shell (SSH) Key Fingerprint Checker

  6. Check the last change time when a key is unfamiliar.
    $ sudo stat /home/deploy/.ssh/authorized_keys
      File: /home/deploy/.ssh/authorized_keys
      Size: 277        Blocks: 8          IO Block: 4096   regular file
    Access: (0600/-rw-------)  Uid: ( 1001/  deploy)   Gid: ( 1001/  deploy)
    Access: 2026-06-13 02:03:14.348596000 +0000
    Modify: 2026-06-13 02:03:14.341596000 +0000
    Change: 2026-06-13 02:03:14.343596000 +0000
     Birth: 2026-06-13 02:03:14.339596000 +0000

    Correlate unexpected modification times with login records, privilege changes, deployment runs, or account-management activity.
    Related: How to check authentication logs in Linux