Would it be possible for ExtraHop to identify SSH sessions using public key authentication?
We previously investigated this; @costlow can confirm, but I believe we found that differentiating interactive logons and public key auth was too implementation-dependent to be added as a stable feature.
I just took two SSH pcaps, one with key authentication and one with password auth. There is no immediate way to tell the difference between them other than timing differences. SSH loves to encrypt everything.
Someone can do some more investigation if they wish, but I don’t think this is easy.