In a linux server environment, many people can use the same username as they connect to a remote server using SSH, but each user must have a unique public key and private key to log in to the remote server.

The question is: How do you know who logged in to the server if the username is shared?

Each public key has a unique fingerprint that you can use it identify who accessed the server and when did it happen.

Here's how to do it:

1. Determine the unique fingerprint per authorized public key.

   • Go to the ~/.ssh/authorized_keys

   • Extract the public key and save it in public_key.pub

   • Run ssh-keygen -lf public_key.pub to get the fingerprint.

   • A unique fingerprint like the following will be displayed: RSA SHA256:cHVXuz3zq1+HT98PSJ/t3xjovTLYRJg71ZOeLwPXILv

2. Go to system_logs or ssh access logs and open it in a text editor or file reader. The log lines look like below:

   • Jan 02 02:00:02 ip-xx-xx-xx-xx sshd[475759]: Accepted publickey for ubuntu from x.x.x.x port 43052 ssh2: RSA SHA256:cHVXuz3zq1+HT98PSJ/t3xjovTLYRJg71ZOeLwPXILv

The above fingerprint logged in the server today at 02:00:02 from IP x.x.x.x

System admin and DevOps engineers should keep an inventory of the authorized public keys so that they can accurately tell who accessed the server, what they did, and their location.