Under Construction

Logged in Users: who

Entries for currently logged-in users on a system have type 7 (USER_PROCESS). The who(1) command uses the /etc/utmp file by default and returns all type 7 entries:

$ who
user1      pts/1       Jan 11 14:03     (
user1      pts/2       Jan 11 16:05     (
user2      pts/4       Jan 10 08:28     (

A comparison with the output of fwtmp(1) and filtering on type 7 gives the same information:

# /usr/sbin/acct/fwtmp </etc/utmp  |grep " 7 "
user1   pts/1          pts/1         7 24576272 0005 41223 1641906231                   Tue Jan 11 14:03:51 CET 2022
user1   pts/2          pts/2         7 24576272 0010 25740 1641913527                   Tue Jan 11 16:05:27 CET 2022
user2   pts/4          pts/4         7 23069024 0010 53046 1641799722                   Mon Jan 10 08:28:42 CET 2022

By default, who shows only the ut_user, ut_line, ut_time, and ut_host fields. If you want to see more information, you can use the ‘-u‘ option:

$ who -uH
Name        Line           Time     Activity       PID Hostname
user1      pts/1       Jan 11 14:03     0:01  24576272  (
user1      pts/2       Jan 11 16:05      .    24576272  (
user2      pts/4       Jan 10 08:28     old   23069024  (

Note: The ‘-H‘ option adds a header line.

The PID and the activity are then also displayed. A “.” means there was activity during the last minute, the value “old” means there was no activity during the last 24 hours, any other value indicates hours and minutes that have elapsed since the last activity.

You can also specify a utmp file like /var/adm/wtmp (or another) for the examples shown, but the last(1) command is a better alternative for this purpose (see later). We therefore only show an example of who(1) with the file /etc/security/failedlogin.

If you want to know which users had failed logins in the past, this can be determined relatively easily:

# who /etc/security/failedlogin

root        vty0        Aug 31 19:14    
UNKNOWN_    ssh         Sep 10 15:09     (
user1       ssh         Sep 11 13:42     (     
user2      FTP         Nov 13 10:26     (loopback)    


The example output shows a failed login attempt by root on the system console (vty0), an unsuccessful attempt by an unknown user (UNKNOWN_) from system via SSH, an unsuccessful attempt by user1 via SSH, and an unsuccessful attempt by user2 via FTP via the loopback interface.

With the option ‘-q‘ (quick) you get a less detailed list with a sum at the end:

# who -q /etc/security/failedlogin
user1      (
user1      (
Total users: 4381