ansible,  Korn Shell / Bash,  Security

Keeping an Eye on SSH Keys: Easily Review authorized_keys with awk

March 25, 2026 / 0 Comments

Hello fellow Admins!

Who hasn’t been there? The ~/.ssh/authorized_keys file is a crucial component for the security of your servers. But sometimes, especially when many keys are stored or very long keys are in use, the file can quickly become overwhelming. Getting a quick overview without endlessly scrolling through lengthy character strings is truly golden.

That’s precisely why I have a small but powerful tip for you: an awk script that makes your authorized_keys more readable by shortening the SSH keys to a manageable length, without losing any vital information.

Why is this useful?

  • Quick Overview: You can see at a glance which keys are stored, without being overwhelmed by incredibly long lines.
  • Ansible-Friendly: Your Ansible block markers remain exactly as they are, ensuring your automation continues to work seamlessly.
  • Troubleshooting: If something isn’t working, you can quickly find the relevant entries.
  • Security Check: During regular audits of your keys, you’ll immediately see which keys are present.

The awk Magic (Ansible-Aware!)

This awk script shortens the actual SSH keys (the second column) to the first and last 10 characters, supplemented by three dots in the middle. This way, you know the key has been truncated, but you still have enough identifying features. All other columns (such as command="…" or no-port-forwarding) naturally remain untouched.

All options are detailed in the sshd(8) man page (section AUTHORIZED_KEYS FILE FORMAT).

Crucially, it checks for Ansible block markers and prints those lines exactly as they are, without any modification.

Awk
awk '
BEGIN { FS = " " } # Sets the field separator to a space
{
    # Check if the line is an Ansible block marker
    if ($0 ~ /^# (BEGIN|END) ANSIBLE MANAGED BLOCK/) {
        print # Print Ansible block markers as-is
    } else {
        # Process regular lines for key shortening
        # Check if the line has a key in the second column
        if (NF >= 2) {
            key = $2 # Store the key in a variable
            # If the key is longer than 20 characters, we'll shorten it
            if (length(key) > 20) {
                # The second column is reassigned: first 10 chars, "...", last 10 chars
                $2 = substr(key, 1, 10) "..." substr(key, length(key) - 9, 10)
            }
        }
        print # Print the (potentially shortened) line
    }
}' ~/.ssh/authorized_keys

How to Use It

Simply copy the awk command above and execute it directly in your terminal:

Bash
awk 'BEGIN { FS = " " } { if ($0 ~ /^# (BEGIN|END) ANSIBLE MANAGED BLOCK/) { print } else { if (NF >= 2) { key = $2; if (length(key) > 20) { $2 = substr(key, 1, 10) "..." substr(key, length(key) - 9, 10) } } print } }' ~/.ssh/authorized_keys

An example of what the output might look like. Instead of:

Bash
ssh-rsa AAAABC12345abc VERY_LONG_KEY_HERE abc123abc123abc123abc123abc123abc123== usera@host
# BEGIN ANSIBLE MANAGED BLOCK developers
ssh-rsa AAAABC78901xyz VERY_LONG_KEY_HERE xyz789xyz789xyz789xyz789xyz789xyz789== userb@host
# END ANSIBLE MANAGED BLOCK developers

You’ll then see:

Bash
ssh-rsa AAAABC123…23abc123== usera@host
# BEGIN ANSIBLE MANAGED BLOCK developers
ssh-rsa AAAABC789…89xyz789== userb@host
# END ANSIBLE MANAGED BLOCK developers

A Quick Explanation for the Curious

  • BEGIN { FS = " " }: Defines the space as the field separator. awk splits each line into “fields” (columns) based on this separator.
  • if ($0 ~ /^# (BEGIN|END) ANSIBLE MANAGED BLOCK/): This is the crucial part, when using ansible blocks!
    • $0 refers to the entire current line.
    • ~ is the match operator.
    • ^# (BEGIN|END) ANSIBLE MANAGED BLOCK is a regular expression that looks for lines starting with # BEGIN ANSIBLE MANAGED BLOCK or # END ANSIBLE MANAGED BLOCK. These lines usually have a marker at the end. This marker is ignored.
    • If a line matches this pattern, print is executed immediately, printing the line as is, and awk moves to the next line.
  • else:
    • if (NF >= 2): Ensures that the line has at least two fields, so we can actually find a key to shorten.
    • key = $2: Stores the content of the second field (our SSH key) in the key variable.
    • if (length(key) > 20): Checks if the key is long enough to be shortened (10 characters start + 10 characters end = 20).
    • $2 = substr(key, 1, 10) "…" substr(key, length(key) - 9, 10): This is the core of the shortening. substr extracts parts of the string. Here, we take the first 10 characters, add “…”, and then the last 10 characters.
    • print: Outputs the entire, now potentially adjusted, line.

Give it a try and make your authorized_keys files clear and manageable again! I hope this little trick helps you in your daily admin tasks.

Happy Administering!

Leave a Reply

Your email address will not be published. Required fields are marked *