LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   Who Is Logged In (http://www.linuxquestions.org/questions/linux-general-1/who-is-logged-in-4175445751/)

Brandon9000 01-15-2013 04:38 PM

Who Is Logged In
 
Hi. I would like to be able to see the logged in users and to distinguish which one, if any, is physically logged into the desktop.

Thanks in advance.

Kustom42 01-15-2013 04:41 PM

try the following command from the CLI, its a tough one :p

Code:

w
Yep, just w. Or you could type out "who" which is what it actually is but think of all the time you are saving not typing the other two letters!

Brandon9000 01-15-2013 04:42 PM

I would like to be able to distinguish which one, if any, is physically logged into the desktop.

Kustom42 01-15-2013 04:44 PM

If you run the command you will see that you can determine that based upon the "FROM" and the "WHAT" if the "WHAT" has an sshd: you know they are ssh'ed. If the from is an external address you know they are accessing externally.

Brandon9000 01-15-2013 04:58 PM

Actually, I just tried logging in remotely with ssh and the WHAT listed was "-bash." This sounds like it would be hard to pin down the exact algorithm for figuring out who was at the desktop. I don't mean to sound ungrateful, but is there anything else? For example, is there a way to examine the tty column and figure out which one(s) is/are, they physical desktop?

Thanks again.

Kustom42 01-15-2013 05:05 PM

The what can be different based upon your sshd config but the FROM should be pretty obvious. You can dig into the actual proc files and look at the /var/log/secure and /var/log/audit/audit.log as these should be logging your external connections but I'm curious as to why the FROM isn't enough for you?

suicidaleggroll 01-15-2013 05:40 PM

Quote:

Originally Posted by Brandon9000 (Post 4870907)
Actually, I just tried logging in remotely with ssh and the WHAT listed was "-bash." This sounds like it would be hard to pin down the exact algorithm for figuring out who was at the desktop. I don't mean to sound ungrateful, but is there anything else? For example, is there a way to examine the tty column and figure out which one(s) is/are, they physical desktop?

Thanks again.

How about the FROM column? Mine shows :0.0 or :0.1 for local, or the hostname that they SSHd in from for remote connections. You can also look at the TTY column, mine shows pts/# for most connections, and tty# for whoever is actually logged in locally.

chrism01 01-15-2013 06:13 PM

Actually, on my desktop, I get tty for original (X-win) login, but pts for each xterm opened ... I'd go with the FROM column info.

jpollard 01-15-2013 08:50 PM

The proper way is by the tty identity.

The FROM column is totally optional (which is why it is blank in some cases). The convention is that it contains the remote host IP number where the connection is from.... But that can be masked.

A local login is always using a tty number. These are the virtual consoles (tty0-62), though none I have seen have ever created that many.

Attached serial devices (ttyS0/ttyS1 ...) might be considered local, but if they are attached to a dialup style modem, they aren't (and the FROM column will still be blank).

Network connections nearly always use pseudo terminals (the pts/nnn format), but it isn't necessary. Ssh has a login that doesn't use a tty... and therefore the who/w commands don't even show them.

Try "ssh remotehost w", give the password and see.

For an even more impressive example do "ssh remotehost sh". You don't usually see a prompt, but give the w command, and then try "tty" (you will get "not a tty" because what you have is a socket). This also applies to using scp - it is a login, but again, no tty is initialized.

BTW, you get the equivalent of "scp remote:file newfile" by doing "ssh remote cat file >newfile" but it is longer to type...

Another similar case -but looks odd, Do a "ssh -X remotehost xterm -ut". This assumes that the xterm utility is installed. This is the basic terminal emulator (using a pts/nnn device), and will/should show a terminal window that is logged in on the remote system. Do a who (or w) command in the window.
No utmp/wtmp entry is created at all - so you can't even see the login even with a terminal.

In these cases, you have a remote login... but no entry in the utmp/wtmp file, and thus, the who command cannot display anything about it.

Brandon9000 01-16-2013 07:24 AM

I am still not sure from this discussion what the actual algorithm is. Using the FROM column or, if someone prefers, the TTY column, what is the exact algorithm to distinguish logins originating on the physical desktop machine?

jpollard 01-16-2013 07:46 AM

The fact is that none are reliable.

You can't even really tell if there are any logins at all, unless the remote users allow you to know if they are logged in.

The only sure way is to look for processes ("ps -uf", which will ignore system processes, and list any associated TTY if there is one).

for example:
Code:

$ who
(unknown) :0          2012-12-25 22:53 (:0)
$ ps -uf
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ
USER      PID %CPU %MEM    VSZ  RSS TTY      STAT START  TIME COMMAND
jesse    25086  0.1  0.3 115796  3396 pts/0    Ss  08:32  0:00 bash
jesse    25167  0.0  0.1 115704  1040 pts/0    R+  08:34  0:00  \_ ps -uf

The "(unknown) :0" happens to be gdm... yet I am logged in using pts/0 (happen to be using a ssh connection)

It is also possible that a "ps -uf" won't even show... The ps is just a snapshot, and a connection may make/break fast enough that the command never sees the process:

Code:

$ ssh kimi ps -uf
jesse@kimi's password:
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ
USER      PID %CPU %MEM    VSZ  RSS TTY      STAT START  TIME COMMAND
$

For most things though, a ps -uf will show any persistent login activity.

To capture the transients you have to be running process accounting, which captures every process termination and records entries.

Usually, the log files (/var/log/audit or /var/log/messages) should have an entry.

Brandon9000 01-16-2013 07:48 AM

I'm not quite sure how this answer relates to my question. I asked what the algorithm would be to determine which user is logged in to the machine physically at the desktop.

jpollard 01-16-2013 08:13 AM

None of the who options will do that.

You can assume that if the "who" command shows "tty<n>" that it is local.

But as I said, it is up to HOW the user logs in as whether that field is valid or even provided. It will not show active cron jobs being run by the user (it still counts as a login though, just no terminal). It will not show any detached background jobs either (same reason).

A lot of this depends on why you need to know. If you are getting ready to shutdown/reboot, then ps -fu is a better judge of activity if you want to avoid impacting a users work.

Brandon9000 01-16-2013 08:19 AM

Thanks. I'll tell you why I need to know. For various operations initiated from a remote master terminal, such as VNCing into the local machine or re-booting it, I have to ask permission of somoene on that local machine. I have to pop up a box saying essentially, "We want to reboot your machine. Is this okay?" I feel that most of the time, there will be only 0-1 users. However, as a programmer, I have to consider the possibility that there might be several people logged in. If this is the case, then I want to ask the one who is actually sitting at the desktop.

jpollard 01-16-2013 08:25 AM

Might be an issue with remote desktops... but that should affect servers more than a users workstation.

One thing - the "local" user of a workstation could be in a conference room and performing a remote display... A reboot at that time would not necessarily be a good thing even though he is using it remotely...


All times are GMT -5. The time now is 11:44 AM.