LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 01-15-2013, 04:38 PM   #1
Brandon9000
Member
 
Registered: Apr 2012
Location: Florida
Distribution: Many
Posts: 111

Rep: Reputation: Disabled
Who Is Logged In


Hi. I would like to be able to see the logged in users and to distinguish which one, if any, is physically logged into the desktop.

Thanks in advance.
 
Old 01-15-2013, 04:41 PM   #2
Kustom42
Senior Member
 
Registered: Mar 2012
Distribution: Red Hat
Posts: 1,568

Rep: Reputation: 411Reputation: 411Reputation: 411Reputation: 411Reputation: 411
try the following command from the CLI, its a tough one

Code:
w
Yep, just w. Or you could type out "who" which is what it actually is but think of all the time you are saving not typing the other two letters!
 
Old 01-15-2013, 04:42 PM   #3
Brandon9000
Member
 
Registered: Apr 2012
Location: Florida
Distribution: Many
Posts: 111

Original Poster
Rep: Reputation: Disabled
I would like to be able to distinguish which one, if any, is physically logged into the desktop.
 
Old 01-15-2013, 04:44 PM   #4
Kustom42
Senior Member
 
Registered: Mar 2012
Distribution: Red Hat
Posts: 1,568

Rep: Reputation: 411Reputation: 411Reputation: 411Reputation: 411Reputation: 411
If you run the command you will see that you can determine that based upon the "FROM" and the "WHAT" if the "WHAT" has an sshd: you know they are ssh'ed. If the from is an external address you know they are accessing externally.
 
Old 01-15-2013, 04:58 PM   #5
Brandon9000
Member
 
Registered: Apr 2012
Location: Florida
Distribution: Many
Posts: 111

Original Poster
Rep: Reputation: Disabled
Actually, I just tried logging in remotely with ssh and the WHAT listed was "-bash." This sounds like it would be hard to pin down the exact algorithm for figuring out who was at the desktop. I don't mean to sound ungrateful, but is there anything else? For example, is there a way to examine the tty column and figure out which one(s) is/are, they physical desktop?

Thanks again.
 
Old 01-15-2013, 05:05 PM   #6
Kustom42
Senior Member
 
Registered: Mar 2012
Distribution: Red Hat
Posts: 1,568

Rep: Reputation: 411Reputation: 411Reputation: 411Reputation: 411Reputation: 411
The what can be different based upon your sshd config but the FROM should be pretty obvious. You can dig into the actual proc files and look at the /var/log/secure and /var/log/audit/audit.log as these should be logging your external connections but I'm curious as to why the FROM isn't enough for you?
 
Old 01-15-2013, 05:40 PM   #7
suicidaleggroll
Senior Member
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 2,846

Rep: Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007
Quote:
Originally Posted by Brandon9000 View Post
Actually, I just tried logging in remotely with ssh and the WHAT listed was "-bash." This sounds like it would be hard to pin down the exact algorithm for figuring out who was at the desktop. I don't mean to sound ungrateful, but is there anything else? For example, is there a way to examine the tty column and figure out which one(s) is/are, they physical desktop?

Thanks again.
How about the FROM column? Mine shows :0.0 or :0.1 for local, or the hostname that they SSHd in from for remote connections. You can also look at the TTY column, mine shows pts/# for most connections, and tty# for whoever is actually logged in locally.
 
Old 01-15-2013, 06:13 PM   #8
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,269

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
Actually, on my desktop, I get tty for original (X-win) login, but pts for each xterm opened ... I'd go with the FROM column info.
 
Old 01-15-2013, 08:50 PM   #9
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,207

Rep: Reputation: 569Reputation: 569Reputation: 569Reputation: 569Reputation: 569Reputation: 569
The proper way is by the tty identity.

The FROM column is totally optional (which is why it is blank in some cases). The convention is that it contains the remote host IP number where the connection is from.... But that can be masked.

A local login is always using a tty number. These are the virtual consoles (tty0-62), though none I have seen have ever created that many.

Attached serial devices (ttyS0/ttyS1 ...) might be considered local, but if they are attached to a dialup style modem, they aren't (and the FROM column will still be blank).

Network connections nearly always use pseudo terminals (the pts/nnn format), but it isn't necessary. Ssh has a login that doesn't use a tty... and therefore the who/w commands don't even show them.

Try "ssh remotehost w", give the password and see.

For an even more impressive example do "ssh remotehost sh". You don't usually see a prompt, but give the w command, and then try "tty" (you will get "not a tty" because what you have is a socket). This also applies to using scp - it is a login, but again, no tty is initialized.

BTW, you get the equivalent of "scp remote:file newfile" by doing "ssh remote cat file >newfile" but it is longer to type...

Another similar case -but looks odd, Do a "ssh -X remotehost xterm -ut". This assumes that the xterm utility is installed. This is the basic terminal emulator (using a pts/nnn device), and will/should show a terminal window that is logged in on the remote system. Do a who (or w) command in the window.
No utmp/wtmp entry is created at all - so you can't even see the login even with a terminal.

In these cases, you have a remote login... but no entry in the utmp/wtmp file, and thus, the who command cannot display anything about it.
 
Old 01-16-2013, 07:24 AM   #10
Brandon9000
Member
 
Registered: Apr 2012
Location: Florida
Distribution: Many
Posts: 111

Original Poster
Rep: Reputation: Disabled
I am still not sure from this discussion what the actual algorithm is. Using the FROM column or, if someone prefers, the TTY column, what is the exact algorithm to distinguish logins originating on the physical desktop machine?
 
Old 01-16-2013, 07:46 AM   #11
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,207

Rep: Reputation: 569Reputation: 569Reputation: 569Reputation: 569Reputation: 569Reputation: 569
The fact is that none are reliable.

You can't even really tell if there are any logins at all, unless the remote users allow you to know if they are logged in.

The only sure way is to look for processes ("ps -uf", which will ignore system processes, and list any associated TTY if there is one).

for example:
Code:
$ who
(unknown) :0           2012-12-25 22:53 (:0)
$ ps -uf
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
jesse    25086  0.1  0.3 115796  3396 pts/0    Ss   08:32   0:00 bash
jesse    25167  0.0  0.1 115704  1040 pts/0    R+   08:34   0:00  \_ ps -uf
The "(unknown) :0" happens to be gdm... yet I am logged in using pts/0 (happen to be using a ssh connection)

It is also possible that a "ps -uf" won't even show... The ps is just a snapshot, and a connection may make/break fast enough that the command never sees the process:

Code:
$ ssh kimi ps -uf
jesse@kimi's password: 
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
$
For most things though, a ps -uf will show any persistent login activity.

To capture the transients you have to be running process accounting, which captures every process termination and records entries.

Usually, the log files (/var/log/audit or /var/log/messages) should have an entry.
 
Old 01-16-2013, 07:48 AM   #12
Brandon9000
Member
 
Registered: Apr 2012
Location: Florida
Distribution: Many
Posts: 111

Original Poster
Rep: Reputation: Disabled
I'm not quite sure how this answer relates to my question. I asked what the algorithm would be to determine which user is logged in to the machine physically at the desktop.
 
Old 01-16-2013, 08:13 AM   #13
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,207

Rep: Reputation: 569Reputation: 569Reputation: 569Reputation: 569Reputation: 569Reputation: 569
None of the who options will do that.

You can assume that if the "who" command shows "tty<n>" that it is local.

But as I said, it is up to HOW the user logs in as whether that field is valid or even provided. It will not show active cron jobs being run by the user (it still counts as a login though, just no terminal). It will not show any detached background jobs either (same reason).

A lot of this depends on why you need to know. If you are getting ready to shutdown/reboot, then ps -fu is a better judge of activity if you want to avoid impacting a users work.
 
Old 01-16-2013, 08:19 AM   #14
Brandon9000
Member
 
Registered: Apr 2012
Location: Florida
Distribution: Many
Posts: 111

Original Poster
Rep: Reputation: Disabled
Thanks. I'll tell you why I need to know. For various operations initiated from a remote master terminal, such as VNCing into the local machine or re-booting it, I have to ask permission of somoene on that local machine. I have to pop up a box saying essentially, "We want to reboot your machine. Is this okay?" I feel that most of the time, there will be only 0-1 users. However, as a programmer, I have to consider the possibility that there might be several people logged in. If this is the case, then I want to ask the one who is actually sitting at the desktop.
 
Old 01-16-2013, 08:25 AM   #15
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,207

Rep: Reputation: 569Reputation: 569Reputation: 569Reputation: 569Reputation: 569Reputation: 569
Might be an issue with remote desktops... but that should affect servers more than a users workstation.

One thing - the "local" user of a workstation could be in a conference room and performing a remote display... A reboot at that time would not necessarily be a good thing even though he is using it remotely...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
checking for user who are logged in, the display first,last name and time logged in LBP74 Programming 1 01-07-2013 04:23 AM
Why am I told I'm logged out after I've logged in? Airidh LQ Suggestions & Feedback 1 02-25-2011 10:35 AM
IPs logged as D.C.B.A and some times A.B.C.D how to find which format is logged tkmsr Linux - Security 15 11-18-2010 08:29 AM
kde much slower to start when logged in as alan than logged in as root arubin Slackware 0 04-26-2004 04:27 PM
mozilla works fine when logged in as a user but crashes when logged in as root jimi Linux - General 6 04-02-2003 08:34 PM


All times are GMT -5. The time now is 09:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration