1. Overview
SSH is a network protocol that lets us connect to remote computers. Sometimes when managing Linux servers, we need to view who’s connected over SSH. In this tutorial, we’ll have a look at how to list active SSH sessions. We’ll examine several possible methods and bring out their pros and cons.
2. The who Command
To view a list of logged-in users, let’s start by using the who command:
$ who
user1 tty1 2020-08-29 14:59
user2 pts/0 2020-08-29 14:57 (203.0.113.24)
user3 pts/1 2020-08-29 15:02 (203.0.113.13)In the first column in the output, we can see the list of currently logged-in users. The second column displays how the users are connected. In this example, user2 and user3 are connected using SSH, whereas user1 is connected directly to the server.
SSH sessions will be on a pseudo-terminal slave (pts). But keep in mind that not all pts connections are necessarily SSH connections. For example, the screen command will also create a pseudo-terminal slave.
Additionally, the who command won’t show SFTP connections because they’re not shell login sessions.
3. The w Command
Similarly to the who command, we can use the w command. In addition to showing who’s logged in, it also displays what the users are doing:
$ w
16:21:34 up 1:29, 3 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
user1 tty1 - 14:59 16.00s 0.05s 0.01s -bash
user2 pts/0 203.0.113.24 14:57 5.00s 0.04s 0.02s vim
user3 pts/1 203.0.113.13 15:02 1.00s 0.02s 0.00s w
Bear in mind that the w command has the same drawbacks as the who command. First of all, not all logged-in users are necessarily connected via SSH. To determine that, we have to examine the TTY column.
Previously, we established that SSH sessions would be on a pseudo-terminal slave (pts). Here also, we need to keep in mind that not all pts sessions are SSH connections.
In most cases, w and who commands are the quickest methods of getting a brief overview of SSH sessions. Generally, logged-in users are connected via SSH.
4. The last Command
Besides the who and w commands, the last command is another way of finding logged-in users. It displays a listing of last logged in users. As we’re only interested in the currently logged in users, let’s use grep to filter the output of last:
$ last | grep 'still logged in'
root pts/1 203.0.113.13 Sat Aug 29 15:02 still logged in
root tty1 Sat Aug 29 14:59 still logged in
root pts/0 203.0.113.24 Sat Aug 29 14:57 still logged in
The last command doesn’t explicitly display SSH connections. Instead, it shows logged-in users. We have to determine how the user is connected by looking at the second column of the output. SSH sessions will be on a pseudo-terminal slave (pts). But we also have to consider that not all pts connections are necessarily SSH connections.
5. The netstat Command
So far, we’ve looked at several methods that display logged-in users. SSH sessions can also be found by looking at network connections. To do that, let’s use netstat:
$ netstat -atnp | grep 'ESTABLISHED.*sshd'
tcp 0 0 198.51.100.14:22 203.0.113.13:49570 ESTABLISHED 1674/sshd: user1@pts
tcp 0 36 198.51.100.14:22 203.0.113.24:57586 ESTABLISHED 1894/sshd: user2@pts netstat will display more information than we need. Therefore, to hone in on established SSH connections, let’s use grep to filter the results. From the output, we can see that user1 and user2 are connected via SSH.
In scenarios where using commands that list logged-in users is not enough, netstat will give us a more accurate picture of active SSH sessions.
6. The ss Command
Another useful utility to find SSH connections is the ss command. It’s a tool that’s used to investigate sockets.
Let’s find active SSH connections by grepping the output of ss for ssh:
$ ss | grep ssh
tcp ESTAB 0 0 198.51.100.14:ssh 203.0.113.13:49570
tcp ESTAB 0 36 198.51.100.14:ssh 203.0.113.24:57586 Something to consider when using ss is that we don’t see the usernames behind the connections as we do with netstat.
7. The ps Command
Active SSH sessions can also be found by looking at the running processes with the ps command.
Let’s use ps and grep its output for sshd:
$ ps axfj | grep sshd
1 776 776 776 ? -1 Ss 0 0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
776 15457 15457 15457 ? -1 Ss 0 0:00 \_ sshd: user1@pts/0
15558 15681 15680 15558 pts/0 15680 S+ 0 0:00 | \_ grep --color=auto sshd
776 15596 15596 15596 ? -1 Ss 0 0:00 \_ sshd: user2@pts/1
The first line is the master server that’s listening for new SSH connections. Below that, we can see child processes that serve a single SSH connection each. By looking at them, we can see that user1 and user2 are connected via SSH.
When listing logged-in users is insufficient, ps can give us a more accurate overview of active SSH sessions.
8. SSH Daemon Logs
Log files are another source of SSH related information. The location of log files depends on the Linux distribution we’re using. For example, in Ubuntu, SSH related logs are in /var/log/auth.log.
Let’s examine the logs and see what happens when user1 connects via SSH:
Aug 30 08:43:36 my-ssh-server sshd[16469]: pam_unix(sshd:session): session opened for user user1 by (uid=1)A new session is created for user1. If user1 logs out, the session will be closed:
Aug 30 08:49:02 my-ssh-server sshd[16469]: pam_unix(sshd:session): session closed for user user1Logs are an excellent source of historical information. But they’re not convenient for quickly finding out the currently active SSH sessions.
9. Conclusion
In this tutorial, we looked at how to list connected SSH sessions. We covered several methods that can be used to find them. Additionally, we went over their pros and cons.