Under Construction
Logged in Users: who
Entries for currently logged-in users on a system have type 7 (USER_PROCESS). The who(1) command uses the /etc/utmp file by default and returns all type 7 entries:
$ who
user1 pts/1 Jan 11 14:03 (192.168.1.17)
user1 pts/2 Jan 11 16:05 (192.168.1.17)
user2 pts/4 Jan 10 08:28 (192.168.1.17)
$
A comparison with the output of fwtmp(1) and filtering on type 7 gives the same information:
# /usr/sbin/acct/fwtmp </etc/utmp |grep " 7 "
user1 pts/1 pts/1 7 24576272 0005 41223 1641906231 192.168.1.17 Tue Jan 11 14:03:51 CET 2022
user1 pts/2 pts/2 7 24576272 0010 25740 1641913527 192.168.1.17 Tue Jan 11 16:05:27 CET 2022
user2 pts/4 pts/4 7 23069024 0010 53046 1641799722 192.168.1.17 Mon Jan 10 08:28:42 CET 2022
#
By default, who shows only the ut_user, ut_line, ut_time, and ut_host fields. If you want to see more information, you can use the ‘-u‘ option:
$ who -uH
Name Line Time Activity PID Hostname
user1 pts/1 Jan 11 14:03 0:01 24576272 (192.168.1.17)
user1 pts/2 Jan 11 16:05 . 24576272 (192.168.1.17)
user2 pts/4 Jan 10 08:28 old 23069024 (192.168.1.17)
$
Note: The ‘-H‘ option adds a header line.
The PID and the activity are then also displayed. A “.” means there was activity during the last minute, the value “old” means there was no activity during the last 24 hours, any other value indicates hours and minutes that have elapsed since the last activity.
You can also specify a utmp file like /var/adm/wtmp (or another) for the examples shown, but the last(1) command is a better alternative for this purpose (see later). We therefore only show an example of who(1) with the file /etc/security/failedlogin.
If you want to know which users had failed logins in the past, this can be determined relatively easily:
# who /etc/security/failedlogin
…
root vty0 Aug 31 19:14
UNKNOWN_ ssh Sep 10 15:09 (192.168.1.17)
user1 ssh Sep 11 13:42 (192.168.1.17)
user2 FTP Nov 13 10:26 (loopback)
…
#
The example output shows a failed login attempt by root on the system console (vty0), an unsuccessful attempt by an unknown user (UNKNOWN_) from system 192.168.1.17 via SSH, an unsuccessful attempt by user1 via SSH, and an unsuccessful attempt by user2 via FTP via the loopback interface.
With the option ‘-q‘ (quick) you get a less detailed list with a sum at the end:
# who -q /etc/security/failedlogin
...
user1 (192.168.1.17)
user1 (192.168.1.17)
Total users: 4381
#