Linux check logged in

6 Ways to check logged in users in Linux

Linux is a multi-user system. It is always important to know who has logged into your Linux box. This isn’t just to help track the activities of malicious users, but mostly to figure out who made the mistake that crashed the system.

We collect 6 Linux commands for this task.

The following Linux commands can be used to check logged-in users.

• w This command shows who’s logged in and what they are doing.
• who The who command in Linux displays a list of all the users who are currently logged in to the system.
• whoami The whoami command displays the username of the current user.
• id The id command Print user and group information for the logged user
• last The last command shows the list of the last logged in users
• tail -f /var/log/secure

check logged in users with w command in Linux

The best Linux command to check the logged-in users is using w command. All we need is to open the terminal then type w in the prompt. This command shows who’s logged in and what they are doing.

It displays information about current users on the machine by reading the file /var/run/utmp, and their processes from /proc.

The procedure to check logged-in users in Linux is as follows:

• Open the terminal application.
• Type w to check the user
• Press Enter to run the command.
• The output will display the users that are currently logged in. This includes their username, where they are logged in from, and what they are currently doing

Here’s an example output of the w command:

10:15:21 up 1 day, 2:30, 3 users, load average: 0.12, 0.10, 0.09
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
user1 tty1 — 10:15 0.00s 0.01s 0.00s w
user2 pts/0 192.168.1.100 09:45 1:30 0.20s 0.05s sshd: user2@pts/0
user3 pts/1 192.168.1.101 08:30 2.50s 0.50s 0.10s top

The first line provides system-related information, including the current time, uptime, number of logged-in users, and the system load average.

The subsequent lines display the information for each logged-in user. It includes the username, terminal, remote host (if applicable), login time, idle time, JCPU (total CPU time for all processes), PCPU (CPU time for the current process), and the command or process associated with the session.

There are 3 users in this system. Each line corresponds to a user session and provides various details about the session.

Username	user1
Terminal	tty1
Remote Host	–
Login Time	10:15
Idle Time	0.00s
JCPU	0.01s
PCPU	0.00s
Command	w

check logged in users with Who command in Linux

who – The who command prints information about all users who are currently logged in. It reads from a default file location (usually /var/run/utmp).

$ who
ocp pts/0 Jan 26 12:05 (64.104.125.239)

The who command in Linux is used to display information about the currently logged-in users on the system.

When you run the who command without any options, it will display a list of logged-in users with the following details:

1. Username: The username of the logged-in user.
2. Terminal: The name of the terminal or device where the user is logged in. It can be a physical terminal or a remote session.
3. Date and time: The login date and time when the user session was initiated.

Here’s an example output of the `who` command:

user1 tty1 2023-06-25 10:15
user2 pts/0 2023-06-25 09:45 (:0)
user3 pts/1 2023-06-25 08:30 (:1)

In the example above, there are three logged-in users:

1. user1 is logged in on tty1 (a physical terminal) and logged in at 10:15.
2. user2 is logged in on pts/0, which indicates a pseudo-terminal or a remote session. The session is associated with display `:0` (X display).
3. user3 is logged in on pts/1 and associated with display `:1`.

The `who` command provides a quick overview of the currently active user sessions on the system.

check logged in users with whoami command in Linux

whoami – The whoami command shows you which user account you’re logged in to from a terminal window.
$ whoami
ocp

The whoami command in Linux is used to display the username of the current user who is executing the command. When you run the whoami command, it simply returns the username associated with the current user session.

In the example above, the whoami command returns user1, indicating that the current user executing the command is logged in as user1.

The whoami command is useful in scripts or command-line operations where you need to know the username of the current user without explicitly specifying it. It provides a convenient way to retrieve the current user’s identity within a shell session.

check logged in users with id command in Linux

id – The id command Print user and group information for the specified username
$ id
uid=50291(ocp) gid=50291(ocp) groups=50291(ocp) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

The id command in Linux is used to display information about the current user or a specified user. When you run the id command without any options, it provides the following information about the current user:

• User ID (UID): The numerical identification assigned to the user by the system.
• Group ID (GID): The numerical identification assigned to the user’s primary group.
• User and Group Names: The names of the user and primary group.
• Supplementary Group IDs: The numerical identification of any additional groups that the user belongs to.

Here’s an example output of the id command for the current user:

$ id
uid=1000(username) gid=1000(groupname) groups=1000(groupname),10(wheel)

The id command also allows you to specify a username as an argument to retrieve information about a specific user. For example:

$ id anotheruser
uid=2000(anotheruser) gid=2000(anothergroup) groups=2000(anothergroup),3000(somegroup)

In the example above, the id anotheruser command displays information about the user anotheruser, including their UID, GID, user and group names, and supplementary group IDs.

The id command is useful for obtaining detailed information about user and group identities, which can be beneficial for system administration, access control, and verifying user permissions and group memberships.

check logged in users with last command in Linux

last – The last command shows list of last logged in users by searching the data from /var/log/wtmp file. Also it shows system reboot information.

$ sudo last
ocp pts/0 64.104.125.239 Wed Jan 26 12:05 still logged in
ocp pts/0 64.104.125.239 Wed Jan 26 08:59 – 09:09 (00:10)

The `last` command in Linux is used to display a list of recently logged-in users and their corresponding login history. When you run the `last` command without any options, it provides a chronological list of the most recent user logins, including the following information:

• Username: The username of the logged-in user.
• Terminal: The name of the terminal or device where the user logged in. It can be a physical terminal or a remote session.
• Remote Host: The IP address or hostname of the remote machine from which the user connected (if applicable).
• Login Time: The date and time when the user session was initiated.
• Logout Time: The date and time when the user session ended (if the user has logged out).
• Duration: The duration of the user’s session.

Here’s an example output of the `last` command:

user1 tty1 Thu Jun 24 09:30 still logged in
user2 pts/0 Wed Jun 23 17:45 still logged in (192.168.1.100)
user3 pts/1 Wed Jun 23 15:20 Thu Jun 24 09:00 (192.168.1.101)

`user1` is currently logged in on `tty1` (a physical terminal) since Thu Jun 24 09:30 and is still logged in.
`user2` is logged in on `pts/0` (a pseudo-terminal or remote session) since Wed Jun 23 17:45 and is still logged in. The session is associated with the remote host `192.168.1.100`.
`user3` logged in on `pts/1` since Wed Jun 23 15:20 and logged out on Thu Jun 24 09:00. The session was associated with the remote host `192.168.1.101`.

The `last` command is helpful for monitoring user logins, identifying active sessions, and checking the duration of user sessions. It can be used to track user activity, troubleshoot login issues, or investigate security incidents by examining login history.

check logged in users from log file in Linux

tail -f /var/log/secure – It is mainly used to track the usage of authorization systems.It stores all security related messages including authentication failures.It also tracks sudo logins, SSH logins and other errors logged by system security services daemon.

Jan 26 12:08:06 ip-172-31-37-167 sudo[31036]: pam_systemd(sudo:session): Cannot create session: Already running in a session or user slice
Jan 26 12:08:06 ip-172-31-37-167 sudo[31036]: pam_unix(sudo:session): session opened for user root by ocp(uid=0)

The command tail -f /var/log/secure is used to monitor the /var/log/secure file in real-time.

Here’s a breakdown of the command:

• tail: It is a command-line utility in Linux used to display the end (tail) of a file.
• -f: It is an option for the tail command that stands for “follow.” When used with the -f option, tail will continuously monitor the file and display new lines as they are appended to the file.
• /var/log/secure: It is the path to the log file being monitored. In this case, it refers to the /var/log/secure file, which is commonly used to store security-related logs on Linux systems, including authentication attempts, successful logins, and other security events.

David is a Cloud & DevOps Enthusiast. He has years of experience as a Linux engineer. He had working experience in AMD, EMC. He likes Linux, Python, bash, and more. He is a technical blogger and a Software Engineer. He enjoys sharing his learning and contributing to open-source.

howtouselinux.com is dedicated to providing comprehensive information on using Linux.

We hope you find our site helpful and informative.

Источник

See Logged in Users on Ubuntu Linux

Linux from its core is made to have multiple users especially if we consider servers.

And there are several reasons why you want to check the currently logged-in users such as to check for unauthorized access.

The easiest way to check the logged-in users in your Ubuntu machine is to use the users command:

And as you can see, it brought the list of currently logged-in users.

Want to know more ways to list logged-in users? Here you have it.

How to find logged-in users in Ubuntu

Here, I will share some interesting utilities that will offer additional information such as the time of logging in, IP address, and a lot more.

So let’s get started with my personal favorite.

Use the w command to find logged-in users in Ubuntu

The w command can show you the currently logged-in users and what they are doing.

All you need to do is enter w in your terminal and it will bring the list of logged-in users:

• TTY will show the terminal used to log in. Here, tty7 indicates the user is logged in via the native terminal whereas the pts is used to indicate the ssh connection used to log in.
• FROM column will show the IP address of the remote connection.
• [email protected] will show the time of logging in.
• IDLE will show how long the user has kept the system idle.
• JPCU is the time used by all the processes that are attached to tty.
• PCPU will show the time taken by the current process that is shown in the WHAT section sitting right in the corner.
• WHAT will show the name of the current process.

And the above description will remain the same for all the utilities that I’m about to show you.

Use the who command to find logged-in users in Ubuntu

The who utility can show who is currently logged in to your system (pretty generic name right?).

While you can execute the who without an additional option, I would recommend using the -H option to have headings for each column:

Here, the LINE section will show the type of terminal used to log in (similar to TTY in the earlier command) and the COMMENT column will show the IP address.

Use the finger utility to find logged-in users in Ubuntu

Want to have the most detailed output in terms of finding logged-in users? Use the finger utility.

Unlike the other utilities, it does not come pre-installed and you’d need to use the following command for installation:

Now, all you need to do is execute the following:

And you’d notice that it has some extra columns showing details such as full name, phone, etc.

The reason behind the extra details is that finger is a user information lookup utility so if you added extra details while adding a user in Linux, those details will reflect here.

Bonus: List logged-in users since the last reboot

If you want to know who logged in to your system from the last reboot, you can use the last command:

The last command will simply look for the binary database located at /var/log/wtmp to list users who logged in since the last time system was rebooted.

Wrapping Up

This was a quick article on how you can find the currently logged-in users in Ubuntu.

And if you are using any other utilities, let me know through the comments.

Источник