What is this doing?

Hi,

What is this in the authorized_keys file for a user?

from=“127.0.0.1”,command=“internal-sftp”,restrict ssh-rsa dddd9laI1+7s5dikq8azAXg6Gq0x/hSHe4NO6q/btJkPQ== [email protected] TS:1694555655 filemanager.ssh.key

I’m getting notified of SSH logins via a user - and I think its coming from this, as I’m seeing this in authlog:


Sep 12 21:29:09 east sshd[125115]: Accepted publickey for bhccwga from 127.0.0.1 port 55098 ssh2: RSA SHA256:fuKT5WidrF9H9vRlaARyGi/BlD1GPICxZ19jOte/FXw

Is this just the file manager running? (just making sure its nota hacker!)

Cheers

Andy

Yes filemanger…

Cool thanks. I was panicking things someone had got into the server (we were recently hacked via SSH keys). I’ve got a load of extra checks in place that alert me to anyone using SSH now (other than myself and allowed IPs), and this started pinging up on my phone. I’ve added it to the whitelist, now I’m happy its just local traffic and not a hacker :slight_smile: