Who Is Logged In
 

Hi. I would like to be able to see the logged in users and to distinguish which one, if any, is physically logged into the desktop.

Thanks in advance.

try the following command from the CLI, its a tough one :p

Yep, just w. Or you could type out "who" which is what it actually is but think of all the time you are saving not typing the other two letters!

I would like to be able to distinguish which one, if any, is physically logged into the desktop.

If you run the command you will see that you can determine that based upon the "FROM" and the "WHAT" if the "WHAT" has an sshd: you know they are ssh'ed. If the from is an external address you know they are accessing externally.

Actually, I just tried logging in remotely with ssh and the WHAT listed was "-bash." This sounds like it would be hard to pin down the exact algorithm for figuring out who was at the desktop. I don't mean to sound ungrateful, but is there anything else? For example, is there a way to examine the tty column and figure out which one(s) is/are, they physical desktop?

Thanks again.

The what can be different based upon your sshd config but the FROM should be pretty obvious. You can dig into the actual proc files and look at the /var/log/secure and /var/log/audit/audit.log as these should be logging your external connections but I'm curious as to why the FROM isn't enough for you?

How about the FROM column? Mine shows :0.0 or :0.1 for local, or the hostname that they SSHd in from for remote connections. You can also look at the TTY column, mine shows pts/# for most connections, and tty# for whoever is actually logged in locally.

Actually, on my desktop, I get tty for original (X-win) login, but pts for each xterm opened ... I'd go with the FROM column info.

The proper way is by the tty identity.

The FROM column is totally optional (which is why it is blank in some cases). The convention is that it contains the remote host IP number where the connection is from.... But that can be masked.

A local login is always using a tty number. These are the virtual consoles (tty0-62), though none I have seen have ever created that many.

Attached serial devices (ttyS0/ttyS1 ...) might be considered local, but if they are attached to a dialup style modem, they aren't (and the FROM column will still be blank).

Network connections nearly always use pseudo terminals (the pts/nnn format), but it isn't necessary. Ssh has a login that doesn't use a tty... and therefore the who/w commands don't even show them.

Try "ssh remotehost w", give the password and see.

For an even more impressive example do "ssh remotehost sh". You don't usually see a prompt, but give the w command, and then try "tty" (you will get "not a tty" because what you have is a socket). This also applies to using scp - it is a login, but again, no tty is initialized.

BTW, you get the equivalent of "scp remote:file newfile" by doing "ssh remote cat file >newfile" but it is longer to type...

Another similar case -but looks odd, Do a "ssh -X remotehost xterm -ut". This assumes that the xterm utility is installed. This is the basic terminal emulator (using a pts/nnn device), and will/should show a terminal window that is logged in on the remote system. Do a who (or w) command in the window.
No utmp/wtmp entry is created at all - so you can't even see the login even with a terminal.

In these cases, you have a remote login... but no entry in the utmp/wtmp file, and thus, the who command cannot display anything about it.

I am still not sure from this discussion what the actual algorithm is. Using the FROM column or, if someone prefers, the TTY column, what is the exact algorithm to distinguish logins originating on the physical desktop machine?

The fact is that none are reliable.

You can't even really tell if there are any logins at all, unless the remote users allow you to know if they are logged in.

The only sure way is to look for processes ("ps -uf", which will ignore system processes, and list any associated TTY if there is one).

for example:
The "(unknown) :0" happens to be gdm... yet I am logged in using pts/0 (happen to be using a ssh connection)

It is also possible that a "ps -uf" won't even show... The ps is just a snapshot, and a connection may make/break fast enough that the command never sees the process:

For most things though, a ps -uf will show any persistent login activity.

To capture the transients you have to be running process accounting, which captures every process termination and records entries.

Usually, the log files (/var/log/audit or /var/log/messages) should have an entry.

I'm not quite sure how this answer relates to my question. I asked what the algorithm would be to determine which user is logged in to the machine physically at the desktop.

None of the who options will do that.

You can assume that if the "who" command shows "tty<n>" that it is local.

But as I said, it is up to HOW the user logs in as whether that field is valid or even provided. It will not show active cron jobs being run by the user (it still counts as a login though, just no terminal). It will not show any detached background jobs either (same reason).

A lot of this depends on why you need to know. If you are getting ready to shutdown/reboot, then ps -fu is a better judge of activity if you want to avoid impacting a users work.

Thanks. I'll tell you why I need to know. For various operations initiated from a remote master terminal, such as VNCing into the local machine or re-booting it, I have to ask permission of somoene on that local machine. I have to pop up a box saying essentially, "We want to reboot your machine. Is this okay?" I feel that most of the time, there will be only 0-1 users. However, as a programmer, I have to consider the possibility that there might be several people logged in. If this is the case, then I want to ask the one who is actually sitting at the desktop.

Might be an issue with remote desktops... but that should affect servers more than a users workstation.

One thing - the "local" user of a workstation could be in a conference room and performing a remote display... A reboot at that time would not necessarily be a good thing even though he is using it remotely...

True, but my problem has been defined by others. Rightly or wrongly, this is my criterion. I have to identify which, if any, of the users is sitting at the machine logged in physically.

Security Cameras that you can watch via a web page to see if someone is sitting at the keyboard? There are no better solutions that what has been provided unfortunately.

I'm not really sure what has been provided. That I should give a "w" command and pick the tty? Or perhaps that I should look at the FROM and the WHAT and perform some test hinted at but not quite stated? What is the algorithm?

Find what works for you. Run it, look at the output, see which one you prefer and go with it. If it were me I would go with either the TTY or FROM column in w. Either way it will let you know who's sitting at the computer. The user who has a tty# instead of a pts# under the TTY column is the user sitting at the computer. Or the user who has a local display (:0, :0.0, :0.1, etc) instead of a pts# or remote IP/hostname under the FROM column is the user sitting at the computer.

See which one you prefer on your network with your machines and your users. The advantages and drawbacks to each method have been provided.

Okay, that kind of crystallizes it in my mind. Thanks, all.

You'll also probably want to use this; effectively a broadcast msg tool http://linux.die.net/man/1/wall