1. Overview

SSH is a network protocol that lets us connect to remote computers. Sometimes when managing Linux servers, we need to view who’s connected over SSH. In this tutorial, we’ll have a look at how to list active SSH sessions. We’ll examine several possible methods and bring out their pros and cons.

2. The who Command

To view a list of logged-in users, let’s start by using the who command:

$ who
user1     tty1         2020-08-29 14:59
user2     pts/0        2020-08-29 14:57 (203.0.113.24)
user3     pts/1        2020-08-29 15:02 (203.0.113.13)

In the first column in the output, we can see the list of currently logged-in users. The second column displays how the users are connected. In this example, user2 and user3 are connected using SSH, whereas user1 is connected directly to the server.

SSH sessions will be on a pseudo-terminal slave (pts). But keep in mind that not all pts connections are necessarily SSH connections. For example, the screen command will also create a pseudo-terminal slave.

Additionally, the who command won’t show SFTP connections because they’re not shell login sessions.

3. The w Command

Similarly to the who command, we can use the w command. In addition to showing who’s logged in, it also displays what the users are doing:

$ w
 16:21:34 up  1:29,  3 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
user1    tty1     -                14:59   16.00s  0.05s  0.01s -bash
user2    pts/0    203.0.113.24     14:57    5.00s  0.04s  0.02s vim
user3    pts/1    203.0.113.13     15:02    1.00s  0.02s  0.00s w

Bear in mind that the w command has the same drawbacks as the who command. First of all, not all logged-in users are necessarily connected via SSH. To determine that, we have to examine the TTY column.

Previously, we established that SSH sessions would be on a pseudo-terminal slave (pts). Here also, we need to keep in mind that not all pts sessions are SSH connections.

In most cases, w and who commands are the quickest methods of getting a brief overview of SSH sessions. Generally, logged-in users are connected via SSH.

4. The last Command

Besides the who and w commands, the last command is another way of finding logged-in users. It displays a listing of last logged in users. As we’re only interested in the currently logged in users, let’s use grep to filter the output of last:

$ last | grep 'still logged in'
root     pts/1        203.0.113.13   Sat Aug 29 15:02   still logged in
root     tty1                        Sat Aug 29 14:59   still logged in
root     pts/0        203.0.113.24   Sat Aug 29 14:57   still logged in

The last command doesn’t explicitly display SSH connections. Instead, it shows logged-in users. We have to determine how the user is connected by looking at the second column of the output. SSH sessions will be on a pseudo-terminal slave (pts). But we also have to consider that not all pts connections are necessarily SSH connections.

5. The netstat Command

So far, we’ve looked at several methods that display logged-in users. SSH sessions can also be found by looking at network connections. To do that, let’s use netstat:

$ netstat -atnp | grep 'ESTABLISHED.*sshd'
tcp        0      0 198.51.100.14:22        203.0.113.13:49570    ESTABLISHED 1674/sshd: [email protected] 
tcp        0     36 198.51.100.14:22        203.0.113.24:57586    ESTABLISHED 1894/sshd: [email protected] 

netstat will display more information than we need. Therefore, to hone in on established SSH connections, let’s use grep to filter the results. From the output, we can see that user1 and user2 are connected via SSH.

In scenarios where using commands that list logged-in users is not enough, netstat will give us a more accurate picture of active SSH sessions.

6. The ss Command

Another useful utility to find SSH connections is the ss command. It’s a tool that’s used to investigate sockets.

Let’s find active SSH connections by grepping the output of ss for ssh:

$ ss | grep ssh
tcp   ESTAB  0      0                    198.51.100.14:ssh       203.0.113.13:49570                                                                           
tcp   ESTAB  0      36                   198.51.100.14:ssh       203.0.113.24:57586 

Something to consider when using ss is that we don’t see the usernames behind the connections as we do with netstat.

7. The ps Command

Active SSH sessions can also be found by looking at the running processes with the ps command.

Let’s use ps and grep its output for sshd:

$ ps axfj | grep sshd
      1     776     776     776 ?             -1 Ss       0   0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
    776   15457   15457   15457 ?             -1 Ss       0   0:00  \_ sshd: [email protected]/0
  15558   15681   15680   15558 pts/0      15680 S+       0   0:00  |       \_ grep --color=auto sshd
    776   15596   15596   15596 ?             -1 Ss       0   0:00  \_ sshd: [email protected]/1

The first line is the master server that’s listening for new SSH connections. Below that, we can see child processes that serve a single SSH connection each. By looking at them, we can see that user1 and user2 are connected via SSH.

When listing logged-in users is insufficient, ps can give us a more accurate overview of active SSH sessions.

8. SSH Daemon Logs

Log files are another source of SSH related information. The location of log files depends on the Linux distribution we’re using. For example, in Ubuntu, SSH related logs are in /var/log/auth.log.

Let’s examine the logs and see what happens when user1 connects via SSH:

Aug 30 08:43:36 my-ssh-server sshd[16469]: pam_unix(sshd:session): session opened for user user1 by (uid=1)

A new session is created for user1. If user1 logs out, the session will be closed:

Aug 30 08:49:02 my-ssh-server sshd[16469]: pam_unix(sshd:session): session closed for user user1

Logs are an excellent source of historical information. But they’re not convenient for quickly finding out the currently active SSH sessions.

9. Conclusion

In this tutorial, we looked at how to list connected SSH sessions. We covered several methods that can be used to find them. Additionally, we went over their pros and cons.

guest
0 Comments
Inline Feedbacks
View all comments