Discovering Existing and Connecting Users on a Linux Server

Image for post
Image for post

By Alain Francois, Alibaba Cloud Community Blog author

As an administrator, you can need to grant some access on your server for the remote users such as your employees or collaborators. You can also need to set up a public server which should be accessible over internet, which means that someone can try to penetrate your server.

At that moment it’s important to know exactly the existing users/accounts in your server and the users actually connected for a better troubleshooting. There are some commands in Linux which can help you to reach that goal. We will learn the commands to use in this case

1) Commands to List Existing Users on Your Server

On your system you can list all the existing users that you have by using some commands or by checking the content of the /etc/passwd and /etc/shadow files.

a) List /etc/passwd

Local user account data is stored in local files, such as the /etc/passwd file. It's a file consisting of 07 entries

  • first column: the username
  • second column: the password
  • thirth column: the User ID
  • fourth column: the user’s primary group
  • fifth column: it’s the description
  • sixth column: the home directory of the user
  • seventh column: it defines the login shell of the user

By listing the content of this file, we can have all the users of the system but we will need to filter the file to have only the column with the useful information by using the awk command

b) Use the getent command

The getent command is used to display the entries of a number of Name Service Switch libraries, including passwd, group, hosts, aliases, and networks. You can use that command to list your existing users but that command will give you the same output as the /etc/passwd file

c) Use /etc/shadow

For more security your Linux machine uses the Shadow Suite which is a set of authentication tools and utilities that insinuates itself into the mix of the /etc/passwd file and user accounts. When the Shadow Suite is installed, the system stores encrypted passwords in the /etc/shadow file for user accounts and the /etc/gshadow file for group accounts. This consists of 08 entries

  • first column: the login name of the user
  • second column: the encrypted password
  • thirth column: Days between January 1, 1970, and the date when the password was last changed.
  • fourth column: Minimum: Days before password may be changed
  • fifth column: Maximum: Days after which password must be changed.
  • sixth column: Warn: Days before password expiration that user is warned.
  • seventh column: Inactive: Days after password expiration that account is disabled
  • eight column: Expire: Days between January 1, 1970, and the date when the account was disabled.
  • ninth column: Reserved field (this field is currently not used).

d) Use the compgen command

There is a bash built-in command called compgen which shows normally all available commands, aliases, and functions. But when you use that with the option -u, it shows the existing users

2) Commands to Find Users Connected to Your Server

There are some commands that you can use to display the users connected on your server. Each command displays

a) w

This command lists the users who are actually log in to the system and also shows you what they are doing. It means that if a user is editing a file, it will let you know that the user is editing a file.

The command displays the informations in two parts, first you have a header of 6 items showing

  • the current time
  • since how long in minute the system has been running
  • the number of users logged on the system
  • the system load average during the last, 05 and 15 minutes;

and a table consisting of 08 columns:

  • USER: is the login name of the user actually connected
  • TTY: is the tty name that the user is currently using
  • FROM: is the remote host (ip address) from which the users are actually logged in
  • LOGIN@: shows since when or which time the user is logged in the system:
  • IDLE: shows since how many times the user was inactive
  • JCPU: represents the number of minutes accumulated by all processes attached to the tty including only the currently running background processes
  • PCPU: shows the time consumed by the processes that the users are actually running.
  • WHAT: shows the command line of the current process that a user is running. It also shows the options used with the command.

To understand properly how the command works, we currently have 2 users remotely connected to our computer so that we can have a view on the results of the command

By default it gives a report about all the users who have logged in using a console or GUI login window. It will not show the users connected through a window in a GUI that emulates a console commonly called terminal windows.

The w command can be used with some options to filter the result so that you will be able to display only the necessary information that you need. You can use the w --help command to list the available options

b) who

The command who shows the users who are actually logged on the system but it doesn’t show what they are doing. The output of the command is a little similar to the w command but in short format consisting only of 4 columns showing the users logged on the system, the rfor example theemote host, the tty and since when they are logged into the system.

You can display the information with a header line using the -H option

Or you can print only the logged on users with the total numbers of users for a better information

To list the different option available to filter the results to display. Use the who --help command to list the different options

c) users

The users command prints the users currently logged in the system. It doesn’t give any additionnal information

You can see that this command is very limited but useful if you only want to list the users. You can also list the number of users by combining it with the wc command

d) The others commands

There are two commands which also displays the user logged in the systems but it’s only limited to the session of the current user. It means that if you switch to another user, the command will only display that session information. Those commands are

  • whoami
  • id which show also the group information of the user and the information about another user that you know

As a system administrator, sometimes you need to make sure there is no access violation on your server. We have seen some commands which can help you to be aware on who is connected which the possibility to know what they are doing.

Original Source

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store