List all connected SSH sessions?

  • I just SSH'd into root, and then SSH'd again into root on the same machine. So I have two windows open both SSH'd into root on my remote machine.

    From the shell, how can I see a list of these two sessions?

  • who or w; who -a for additional information.

    These commands just show all login sessions on a terminal device. An SSH session will be on a pseudo-terminal slave (pts) as shown in the TTY column, but not all pts connections are SSH sessions. For instance, programs that create a pseudo-terminal device such as xterm or screen will show as pts. See Difference between pts and tty for a better description of the different values found in the TTY column. Furthermore, this approach won't show anybody who's logged in to an SFTP session, since SFTP sessions aren't shell login sessions.

    I don't know of any way to explicitly show all SSH sessions. You can infer this information by reading login information from utmp/wtmp via a tool like last, w, or who like I've just described, or by using networking tools like @sebelk described in their answer to find open tcp connections on port 22 (or wherever your SSH daemon(s) is/are listening).

    A third approach you could take is to parse the log output from the SSH daemon. Depending on your OS distribution, SSH distribution, configuration, and so on, your log output may be in a number of different places. On an RHEL 6 box, I found the logs in /var/log/sshd.log. On an RHEL 7 box, and also on an Arch Linux box, I needed to use journalctl -u sshd to view the logs. Some systems might output SSH logs to syslog. Your logs may be in these places or elsewhere. Here's a sample of what you might see:

    [myhost ~]% grep hendrenj /var/log/sshd.log | grep session
    May  1 15:57:11 myhost sshd[34427]: pam_unix(sshd:session): session opened for user hendrenj by (uid=0)
    May  1 16:16:13 myhost sshd[34427]: pam_unix(sshd:session): session closed for user hendrenj
    May  5 14:27:09 myhost sshd[43553]: pam_unix(sshd:session): session opened for user hendrenj by (uid=0)
    May  5 18:23:41 myhost sshd[43553]: pam_unix(sshd:session): session closed for user hendrenj
    

    The logs show when sessions open and close, who the session belongs to, where the user is connecting from, and more. However, you're going to have to do a lot of parsing if you want to get this from a simple, human-readable log of events to a list of currently active sessions, and it still probably won't be an accurate list when you're done parsing, since the logs don't actually contain enough information to determine which sessions are still active - you're essentially just guessing. The only advantage you gain by using these logs is that the information comes directly from SSHD instead of via a secondhand source like the other methods.

    I recommend just using w. Most of the time, this will get you the information you want.

    Found this while searching for a tangentially related problem. Doesn't matter. This is one of the best answers I've seen on any Stack site! I now know a ton more about this particular area (for lack of a better word). EDIT: Thank you!

  • You can see every session ssh with the following command:

    [[email protected] ~]# netstat -tnpa | grep 'ESTABLISHED.*sshd'
    tcp        0      0 192.168.1.136:22            192.168.1.147:45852         ESTABLISHED 1341/sshd           
    tcp        0      0 192.168.1.136:22            192.168.1.147:45858         ESTABLISHED 1360/sshd
    

    O perhaps this may be useful:

    [[email protected] ~]# ps auxwww | grep sshd:
    root      1341  0.0  0.4  97940  3952 ?        Ss   20:31   0:00 sshd: [email protected]/0 
    root      1360  0.0  0.5  97940  4056 ?        Ss   20:32   0:00 sshd: [email protected]/1 
    root      1397  0.0  0.1 105300   888 pts/0    S+   20:37   0:00 grep sshd:
    

    Thank you; this answer is much better than the top answer, which only lists users who are logged into a shell. This solution also finds SFTP users.

    on most boxes nowadays you can use `pgrep -ai sshd`

    @ccpizza: `pgrep: invalid option -- 'i'` on Ubuntu 14.04.

    @MartinSchröder: `-i` is only available on mac/bsd flavours. on ubuntu you can use `pgrep -af ssd`. See https://serverfault.com/a/883270/116777 for details

    Similar to @HaydenSchiff I had to also find users that only have an SSH Tunnel open for port-forwarding, without a shell. This helped!

  • You can also use

    ps ax | grep sshd
    
  • Expanding on @sebelk's answer:

    The solution using netstat is a good one but requires root privileges. In addition, the net-tools package (which provides netstat) was deprecated in some newer Linux distro's (https://dougvitale.wordpress.com/2011/12/21/deprecated-linux-networking-commands-and-their-replacements/).

    An alternative solution is then to use the replacement for netstat, ss. For example (note you no longer need root):

    [email protected]:~# ss | grep ssh
    tcp    ESTAB      0      0      192.168.1.136:ssh                  192.168.1.147:37620                
    tcp    ESTAB      0      0      192.168.1.136:ssh                  192.168.1.147:37628
    
  • Added for simple reference.

    If you are in a pseudo shell (example: /dev/pts/0 ) one of the simplest ways would be:

    [[email protected] ~]$ echo $SSH_CONNECTION
    

    It should return: your ip and port and the ip your connected to and port

    192.168.0.13 50473 192.168.0.22 22
    

    You can also get some info from using tty or who (w): (edit: I see it's now list above in another post)

    [[email protected] ~]$ who
    user1 tty1          2018-01-03 18:43
    user2 pts/0        2018-01-03 18:44 (192.168.0.13)
    

    To expand on the previous answers dealing with Bash globals. Might I suggest referencing the `SECONDS` global. You can use this via `echo $SECONDS`, which it then displays the amount of time, since the perceived connection

    This will display information for the currently active session — the one you're typing into. But the question asks how to list *all* the currently *connected* sessions.

  • You can use

    last | head
    

    I used this in my .login script for years to see who had recently logged into the system. It was a poor-man-security device to see if someone was on the system using your login.

    ... but it won't necessarily be a list of active sessions (what this question is about). Depending on the login activity, even the session you ran `last` in may not be listed.

    "last -p now" lists all current ssh sessions.

    @J.O.Williams Which version of `last` supports `-p`? What does it do?

    @mwfearnley version of `"last from util-linux 2.31.1"` has it for sure.

  • I executed almost all the above commands and I think the best way to find the currently logged in users via ssh are

    last | grep "still logged in"
    

    AND

    who -a
    

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM