How to find SSH Logins via command line

To find SSH Logins via command line

SSH, or secure shell, is a secure protocol and the most common way of safely administering remote servers. Using a number of encryption technologies, SSH provides a mechanism for establishing a cryptographically secured connection between two parties, authenticating each side to the other, and passing commands and output back and forth. In this tutorial, you will get to know about the commands through with you can find information on SSH Logins.

Finding SSH Logins

You can use the w command which shows who is logged on and what they are doing in your machine. The list of users are displayed as follows when it is used with the -i option.

[root@linuxhelp ~]# w -i
 12:33:40 up 25 min,  5 users,  load average: 0.25, 0.73, 0.68
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     :0       :0               03Aug17 ?xdm?   3:18   0.05s gdm-session-wor
root     pts/0    :0               03Aug17  4.00s  0.17s  0.01s w -i
root     pts/1    192.168.7.103    12:31    2:05   0.05s  0.05s -bash
root     pts/2    192.168.7.102    12:32    1:38   0.03s  0.03s -bash
root     pts/3    192.168.7.13     12:32    1:09   0.02s  0.02s &ndash bash

If you want to check who are all logged on, you shall use who command as follows. The list of logged in IPs are listed as follows.

[root@linuxhelp ~]# who
root     :0           2017-08-03 21:39 (:0)
root     pts/0        2017-08-03 21:39 (:0)
root     pts/1        2017-12-05 12:31 (192.168.7.103)
root     pts/2        2017-12-05 12:32 (192.168.7.102)
root     pts/3        2017-12-05 12:32 (192.168.7.13)

If you want to list out the users who are logged in, related to your SSH, you shall use the &ndash a option along with the who command. All information such as system boot, category, run time, etc. are listed as follows.

[root@linuxhelp ~]# who -a
           system boot  2017-08-04 03:02
           run-level 5  2017-08-03 21:33
root     ? :0           2017-08-03 21:39   ?          2712 (:0)
root     + pts/0        2017-08-03 21:39 00:01        3288 (:0)
root     + pts/1        2017-12-05 12:31 00:10        4728 (192.168.7.103)
root     + pts/2        2017-12-05 12:32 00:09        4787 (192.168.7.102)
root     + pts/3        2017-12-05 12:32 00:09        4839 (192.168.7.13)
root     + pts/4        2017-12-05 12:38   .          3288 (:0)

If you want to list the users who logged in your system, you can also use the following who command with &ndash u option.

[root@linuxhelp ~]# who -u
root     :0           2017-08-03 21:39   ?          2712 (:0)
root     pts/0        2017-08-03 21:39 00:02        3288 (:0)
root     pts/1        2017-12-05 12:31 00:11        4728 (192.168.7.103)
root     pts/2        2017-12-05 12:32 00:10        4787 (192.168.7.102)
root     pts/3        2017-12-05 12:32 00:10        4839 (192.168.7.13)
root     pts/4        2017-12-05 12:38   .          3288 (:0)

You can use the finger command to see SSH logins. The finger command, when used, displays the user' s login name, real name, terminal name, etc. You can check if the finger command is installed, if it isn’ t you can install it by making use of the yum install command.

[root@linuxhelp ~]# yum install finger
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.vbctv.in
 * epel: epel.scopesky.iq
 * extras: mirror.vbctv.in
 * remi-php71: mirror.cedia.org.ec
 * remi-safe: mirror.cedia.org.ec
 * updates: mirror.vbctv.in
Resolving Dependencies
-->  Running transaction check
--->  Package finger.x86_64 0:0.17-52.el7 will be installed
-->  Finished Dependency Resolution
.
.
.
Is this ok [y/d/N]: y
Downloading packages:
finger-0.17-52.el7.x86_64.rpm                                                                                         |  25 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : finger-0.17-52.el7.x86_64                                                                                                 1/1 
  Verifying  : finger-0.17-52.el7.x86_64                                                                                                 1/1 

Installed:
  finger.x86_64 0:0.17-52.el7                                                                                                                

Complete!
-s option

After finger command is installed, you can make full use of it by using all its available options. You shall use the finger command with the &ndash s option that displays many information of the user’ s login name, real name, terminal name, idle time, login time, office location and office phone number, etc.

 [root@linuxhelp ~]# finger -s
Login     Name       Tty      Idle  Login Time   Office     Office Phone   Host
root      root      *:0             Aug  3 21:39                           (:0)
root      root       pts/0          Aug  3 21:39                           (:0)
root      root       pts/1       6  Dec  5 12:31                           (192.168.7.103)
root      root       pts/2       6  Dec  5 12:32                           (192.168.7.102)
root      root       pts/3       5  Dec  5 12:32                           (192.168.7.13)
root      root       pts/4          Dec  5 12:38                           (:0)

-l option

You can use the &ndash l option with your finger command to display all of the information such as the user' s home directory, home phone number, login shell, mail status, and the contents of the files along with the information that can be obtained by the &ndash s option.

[root@linuxhelp ~]# finger -l
Login: root                       Name: root
Directory: /root                        Shell: /bin/bash
On since Thu Aug  3 21:39 (IST) on :0 from :0 (messages off)
On since Thu Aug  3 21:39 (IST) on pts/0 from :0
   42 seconds idle
On since Tue Dec  5 12:31 (IST) on pts/1 from 192.168.7.103
   6 minutes 51 seconds idle
On since Tue Dec  5 12:32 (IST) on pts/2 from 192.168.7.102
   6 minutes 24 seconds idle
On since Tue Dec  5 12:32 (IST) on pts/3 from 192.168.7.13
   5 minutes 55 seconds idle
On since Tue Dec  5 12:38 (IST) on pts/4 from :0
   2 seconds idle
New mail received Thu Aug  3 21:33 2017 (IST)
     Unread since Tue Feb  7 15:27 2017 (IST)
No Plan.
Last Command

Last command can also be used for searching SSH logins. The last command searches back through the file /var/log/wtmp (or the file designated by the -f flag) and displays a list of all users logged in (and out) since that file was created. Names of users and tty' s can be given, in which case last will show only those entries matching the arguments.

[root@linuxhelp ~]# last -w
root     pts/4        :0               Tue Dec  5 12:38   still logged in   
root     pts/3        192.168.7.13     Tue Dec  5 12:32   still logged in   
root     pts/2        192.168.7.102    Tue Dec  5 12:32   still logged in   
root     pts/1        192.168.7.103    Tue Dec  5 12:31   still logged in   
root     pts/0        :0               Thu Aug  3 21:39   still logged in   
root     :0           :0               Thu Aug  3 21:39   still logged in   
(unknown) :0           :0               Thu Aug  3 21:33 - 21:39  (00:05)    
reboot   system boot  3.10.0-123.el7.x86_64 Fri Aug  4 03:02 - 12:48 (123+09:45) 
root     pts/0        :0               Tue Mar 14 13:50 - 21:32 (142+07:42) 
root     pts/0        :0               Tue Mar 14 13:48 - 13:50  (00:01)    
root     :0           :0               Tue Mar 14 13:48 - 21:32 (142+07:43) 
(unknown) :0           :0               Tue Mar 14 13:48 - 13:48  (00:00)    
reboot   system boot  3.10.0-123.el7.x86_64 Tue Mar 14 19:17 - 21:32 (142+02:14) 
root     pts/0        :0               Tue Feb  7 15:40 - 15:42  (00:02)    
root     pts/0        :0               Tue Feb  7 15:38 - 15:39  (00:00)    
root     :0           :0               Tue Feb  7 15:26 - 15:47  (00:21)    
(unknown) :0           :0               Tue Feb  7 15:26 - 15:26  (00:00)    
reboot   system boot  3.10.0-123.el7.x86_64 Tue Feb  7 20:55 - 15:47  (-5:-7)    
wtmp begins Tue Feb  7 20:55:23 2017

You can use the &ndash F option along with the last command to bring out the full report including log in and log out details.

[root@linuxhelp ~]# last -F
root     pts/4        :0               Tue Dec  5 12:38:02 2017   still logged in                      
root     pts/3        192.168.7.13     Tue Dec  5 12:32:31 2017   still logged in                      
root     pts/2        192.168.7.102    Tue Dec  5 12:32:02 2017   still logged in                      
root     pts/1        192.168.7.103    Tue Dec  5 12:31:35 2017   still logged in                      
root     pts/0        :0               Thu Aug  3 21:39:26 2017   still logged in                      
root     :0           :0               Thu Aug  3 21:39:10 2017   still logged in                      
(unknown :0           :0               Thu Aug  3 21:33:17 2017 - Thu Aug  3 21:39:10 2017  (00:05)    
reboot   system boot  3.10.0-123.el7.x Fri Aug  4 03:02:56 2017 - Tue Dec  5 12:49:18 2017 (123+09:46) 
root     pts/0        :0               Tue Mar 14 13:50:10 2017 - Thu Aug  3 21:32:25 2017 (142+07:42) 
root     pts/0        :0               Tue Mar 14 13:48:56 2017 - Tue Mar 14 13:50:08 2017  (00:01)    
root     :0           :0               Tue Mar 14 13:48:38 2017 - Thu Aug  3 21:32:30 2017 (142+07:43) 
(unknown :0           :0               Tue Mar 14 13:48:11 2017 - Tue Mar 14 13:48:38 2017  (00:00)    
reboot   system boot  3.10.0-123.el7.x Tue Mar 14 19:17:51 2017 - Thu Aug  3 21:32:40 2017 (142+02:14) 
root     pts/0        :0               Tue Feb  7 15:40:17 2017 - Tue Feb  7 15:42:32 2017  (00:02)    
root     pts/0        :0               Tue Feb  7 15:38:48 2017 - Tue Feb  7 15:39:01 2017  (00:00)    
root     :0           :0               Tue Feb  7 15:26:26 2017 - Tue Feb  7 15:47:47 2017  (00:21)    
(unknown :0           :0               Tue Feb  7 15:26:05 2017 - Tue Feb  7 15:26:26 2017  (00:00)    
reboot   system boot  3.10.0-123.el7.x Tue Feb  7 20:55:23 2017 - Tue Feb  7 15:47:54 2017  (-5:-7)    
wtmp begins Tue Feb  7 20:55:23 2017

If you want to generate the summary report of your machine you can use the aureport. Use the &ndash l option with your aureport command to list the login report of your SSH.

[root@linuxhelp ~]# aureport -l
Login Report
============================================
# date time auid host term exe success event
============================================
1. 02/07/2017 15:26:26 0 ? ? /usr/libexec/gdm-session-worker yes 359
2. 03/14/2017 13:48:36 0 ? ? /usr/libexec/gdm-session-worker yes 354
3. 08/03/2017 21:39:09 0 ? ? /usr/libexec/gdm-session-worker yes 361
4. 12/05/2017 12:31:35 0 192.168.7.103 ssh /usr/sbin/sshd yes 505
5. 12/05/2017 12:31:35 0 192.168.7.103 /dev/pts/1 /usr/sbin/sshd yes 510
6. 12/05/2017 12:31:59 root 192.168.7.102 ssh /usr/sbin/sshd no 523
7. 12/05/2017 12:32:02 0 192.168.7.102 /dev/pts/2 /usr/sbin/sshd yes 539
8. 12/05/2017 12:32:02 0 192.168.7.102 ssh /usr/sbin/sshd yes 551
9. 12/05/2017 12:32:31 0 192.168.7.13 /dev/pts/3 /usr/sbin/sshd yes 567

You can find the hardware type, MAC address, etc, of the users by using the arp command.

[root@linuxhelp ~]# arp
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.7.102            ether   4c:72:b9:98:8e:26   C                     eno16777736
192.168.7.13             ether   00:0c:29:e1:c1:72   C                     eno16777736
192.168.7.12                     (incomplete)                              eno16777736
192.168.7.103            ether   00:22:4d:9f:8f:d5   C                     eno16777736
192.168.7.1              ether   3c:61:04:6c:d6:81   C                     eno16777736

Apart from the above commands, you can also view SSH user details through the following command.

[root@linuxhelp ~]# tailf /var/log/secure 
Dec  5 12:32:01 linuxhelp sshd[4783]: Accepted password for root from 192.168.7.102 port 53600 ssh2
Dec  5 12:32:01 linuxhelp sshd[4783]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec  5 12:32:02 linuxhelp sshd[4785]: Accepted password for root from 192.168.7.102 port 53601 ssh2
Dec  5 12:32:02 linuxhelp sshd[4785]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec  5 12:32:02 linuxhelp sshd[4785]: subsystem request for sftp by user root
Dec  5 12:32:31 linuxhelp sshd[4833]: Accepted password for root from 192.168.7.13 port 44820 ssh2
Dec  5 12:32:31 linuxhelp sshd[4833]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec  5 12:52:58 linuxhelp useradd[34043]: failed adding user ' user1' , exit code: 9
Dec  5 12:53:05 linuxhelp su: pam_unix(su:session): session opened for user user1 by root(uid=0)
Dec  5 12:55:16 linuxhelp su: pam_unix(su:session): session closed for user user1

Or, to view the SSH details in a very simple way you shall grep the sshd as follows.

[root@linuxhelp ~]# tailf /var/log/secure | grep sshd
Dec  5 12:32:01 linuxhelp sshd[4783]: Accepted password for root from 192.168.7.102 port 53600 ssh2
Dec  5 12:32:01 linuxhelp sshd[4783]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec  5 12:32:02 linuxhelp sshd[4785]: Accepted password for root from 192.168.7.102 port 53601 ssh2
Dec  5 12:32:02 linuxhelp sshd[4785]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec  5 12:32:02 linuxhelp sshd[4785]: subsystem request for sftp by user root
Dec  5 12:32:31 linuxhelp sshd[4833]: Accepted password for root from 192.168.7.13 port 44820 ssh2
Dec  5 12:32:31 linuxhelp sshd[4833]: pam_unix(sshd:session): session opened for user root by (uid=0)

With this, the methods to find and view the SSH Logins through commands, comes to an end.

Tag : Command Line Tools SSH

FAQ

How do I set a users home directory?

Pragma SSH Server supports the user settings in Windows, including home directory and logon script. You may also set up a home directory for each user for ssh only, by setting the Home Directory on the Users General Setting tab.

How do I get rid of the Character Map prompt?

Beginning with Version 6.0, the Character Map prompt is only displayed when an unknown terminal type is used, or if the server administrator requests it. If you need to assign a character map to enter the value in the Default Character Map exactly as it appears in the prompt. For example, enter [vtxxx] for our default option.

How to Find SSH Logins?

You can use the w command which shows who is logged on and what they are doing in your machine.
# w -i

Where should I keep my private key?

In general, your private key should live only on a system to which you and no (or very few) other people have access; for example, a workstation in your office or home, or your laptop. In general, putting a private key on a system to which many other people have access isn't advisable.

How does public key authentication work, exactly?

The ssh-keygen command will generate an SSH keypair (by default, in your $HOME/.ssh directory). A keypair consists of two files: a private key (id_rsa or id_dsa) and the corresponding public key (id_rsa.pub or id_dsa.pub).

How to find SSH Logins via command line

To find SSH Logins via command line

Finding SSH Logins

Related tutorials in How to find SSH Logins via command line

Related forums in How to find SSH Logins via command line