Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Docs
Stories
What people are saying News Ask around Take a tour Meetups COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself
Get started Vitals Queries Policies Software OS settings Data tables

Tables

Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.

macOS Apple

Linux Linux

Windows Windows

Chrome ChromeOS

account_policy_data ad_config alf alf_exceptions alf_explicit_auths apfs_physical_stores apfs_volumes app_icons app_schemes apps arp_cache asl augeas authdb authorization_mechanisms authorizations authorized_keys azure_instance_metadata azure_instance_tags battery block_devices carbon_black_info carves certificates chrome_extension_content_scripts chrome_extensions codesign connected_displays corestorage_logical_volume_families corestorage_logical_volumes cpu_info cpu_time cpuid crashes crontab cryptoinfo csrutil_info cups_destinations cups_jobs curl curl_certificate device_file device_firmware device_hash device_partitions disk_encryption disk_events evented tabledns_resolvers docker_container_envs docker_container_fs_changes docker_container_labels docker_container_mounts docker_container_networks docker_container_ports docker_container_processes docker_container_stats docker_containers docker_image_history docker_image_labels docker_image_layers docker_images docker_info docker_network_labels docker_networks docker_version docker_volume_labels docker_volumes dscl ec2_instance_metadata ec2_instance_tags es_process_events evented tablees_process_file_events evented tableetc_hosts etc_protocols etc_services event_taps extended_attributes fan_speed_sensors file file_events evented tablefile_lines filevault_prk filevault_status filevault_users find_cmd firefox_addons firefox_preferences firmware_eficheck_integrity_check firmwarepasswd fleetd_logs gatekeeper gatekeeper_approved_apps google_chrome_profiles groups hardware_events evented tablehash homebrew_packages ibridge_info icloud_private_relay interface_addresses interface_details interface_ipv6 iokit_devicetree iokit_registry ioreg kernel_extensions kernel_info kernel_panics keychain_acls keychain_items known_hosts last launchd launchd_overrides listening_ports load_average location_services logged_in_users macadmins_unified_log macos_profiles macos_rsr magic managed_policies mdfind mdls mdm memory_array_mapped_addresses memory_arrays memory_device_mapped_addresses memory_devices memory_error_info mounts munki_info munki_installs nfs_shares npm_packages nvram nvram_info oem_strings orbit_info os_version osquery_events osquery_extensions osquery_flags osquery_info osquery_packs osquery_registry osquery_schedule package_bom package_install_history package_receipts parse_ini parse_json parse_jsonl parse_xml password_policy pci_devices platform_info plist pmset power_sensors preferences process_envs process_events evented tableprocess_memory_map process_open_files process_open_sockets processes prometheus_metrics puppet_info puppet_logs puppet_state pwd_policy python_packages quicklook_cache routes running_apps safari_extensions sandboxes screenlock secureboot shared_folders sharing_preferences shell_history signature sip_config smbios_tables smc_keys sntp_request socket_events evented tablesofa_security_release_info sofa_unpatched_cves software_update ssh_configs startup_items sudo_info sudoers suid_bin system_controls system_extensions system_info tcc_access temperature_sensors time time_machine_backups time_machine_destinations ulimit_info unified_log uptime usb_devices user_events evented tableuser_groups user_interaction_events evented tableuser_login_settings user_ssh_keys users virtual_memory_info vscode_extensions wifi_networks wifi_status wifi_survey xprotect_entries xprotect_meta xprotect_reports yara yara_events evented tableycloud_instance_metadata

user_ssh_keys

click to open the table of contents
macOS logo Windows logo Linux logo

user​_ssh​_keys

Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted.

Column Type Description
encrypted integer 1 if key is encrypted, 0 otherwise
key_type text The type of the private key. One of [rsa, dsa, dh, ec, hmac, cmac], or the empty string.
path text Path to key file
pid_with_namespace integer Pids that contain a namespace
Only available on Linux
uid bigint The local user that owns the key file

Example

SELECT * FROM users CROSS JOIN user_ssh_keys USING (uid);

Identify SSH keys stored in clear text in user directories

SELECT * FROM users JOIN user_ssh_keys USING (uid) WHERE encrypted = 0;

Notes

Querying this table requires joining against the users table. Learn more

Edit page

Questions?

Ask us anything
Fleet logo
Multi platform Device management Orchestration Software management Integrations Pricing
Documentation Support Docs API Release notes Get your license
Company About News Jobs Logos/artwork Why open source?
ISO 27001 coming soon a small checkmarkSOC2 Type 2 Creative Commons Licence CC BY-SA 4.0
© 2025 Fleet Inc. Privacy
Slack logo GitHub logo LinkedIn logo X (Twitter) logo Youtube logo Mastadon logo