List all connected SSH sessions?
who -afor additional information.
These commands just show all login sessions on a terminal device. An SSH session will be on a pseudo-terminal slave (
pts) as shown in the
TTYcolumn, but not all pts connections are SSH sessions. For instance, programs that create a pseudo-terminal device such as
screenwill show as
pts. See Difference between pts and tty for a better description of the different values found in the
TTYcolumn. Furthermore, this approach won't show anybody who's logged in to an SFTP session, since SFTP sessions aren't shell login sessions.
I don't know of any way to explicitly show all SSH sessions. You can infer this information by reading login information from
wtmpvia a tool like
wholike I've just described, or by using networking tools like @sebelk described in their answer to find open tcp connections on port 22 (or wherever your SSH daemon(s) is/are listening).
A third approach you could take is to parse the log output from the SSH daemon. Depending on your OS distribution, SSH distribution, configuration, and so on, your log output may be in a number of different places. On an RHEL 6 box, I found the logs in
/var/log/sshd.log. On an RHEL 7 box, and also on an Arch Linux box, I needed to use
journalctl -u sshdto view the logs. Some systems might output SSH logs to syslog. Your logs may be in these places or elsewhere. Here's a sample of what you might see:
[myhost ~]% grep hendrenj /var/log/sshd.log | grep session May 1 15:57:11 myhost sshd: pam_unix(sshd:session): session opened for user hendrenj by (uid=0) May 1 16:16:13 myhost sshd: pam_unix(sshd:session): session closed for user hendrenj May 5 14:27:09 myhost sshd: pam_unix(sshd:session): session opened for user hendrenj by (uid=0) May 5 18:23:41 myhost sshd: pam_unix(sshd:session): session closed for user hendrenj
The logs show when sessions open and close, who the session belongs to, where the user is connecting from, and more. However, you're going to have to do a lot of parsing if you want to get this from a simple, human-readable log of events to a list of currently active sessions, and it still probably won't be an accurate list when you're done parsing, since the logs don't actually contain enough information to determine which sessions are still active - you're essentially just guessing. The only advantage you gain by using these logs is that the information comes directly from SSHD instead of via a secondhand source like the other methods.
I recommend just using
w. Most of the time, this will get you the information you want.
You can see every session ssh with the following command:
[[email protected] ~]# netstat -tnpa | grep 'ESTABLISHED.*sshd' tcp 0 0 192.168.1.136:22 192.168.1.147:45852 ESTABLISHED 1341/sshd tcp 0 0 192.168.1.136:22 192.168.1.147:45858 ESTABLISHED 1360/sshd
O perhaps this may be useful:
[[email protected] ~]# ps auxwww | grep sshd: root 1341 0.0 0.4 97940 3952 ? Ss 20:31 0:00 sshd: [email protected]/0 root 1360 0.0 0.5 97940 4056 ? Ss 20:32 0:00 sshd: [email protected]/1 root 1397 0.0 0.1 105300 888 pts/0 S+ 20:37 0:00 grep sshd:
Thank you; this answer is much better than the top answer, which only lists users who are logged into a shell. This solution also finds SFTP users.
@MartinSchröder: `-i` is only available on mac/bsd flavours. on ubuntu you can use `pgrep -af ssd`. See https://serverfault.com/a/883270/116777 for details
Expanding on @sebelk's answer:
The solution using
netstatis a good one but requires root privileges. In addition, the
net-toolspackage (which provides
netstat) was deprecated in some newer Linux distro's (https://dougvitale.wordpress.com/2011/12/21/deprecated-linux-networking-commands-and-their-replacements/).
An alternative solution is then to use the replacement for
ss. For example (note you no longer need root):
[email protected]:~# ss | grep ssh tcp ESTAB 0 0 192.168.1.136:ssh 192.168.1.147:37620 tcp ESTAB 0 0 192.168.1.136:ssh 192.168.1.147:37628
Added for simple reference.
If you are in a pseudo shell (example: /dev/pts/0 ) one of the simplest ways would be:
[[email protected] ~]$ echo $SSH_CONNECTION
It should return: your ip and port and the ip your connected to and port
192.168.0.13 50473 192.168.0.22 22
You can also get some info from using
w): (edit: I see it's now list above in another post)
[[email protected] ~]$ who user1 tty1 2018-01-03 18:43 user2 pts/0 2018-01-03 18:44 (192.168.0.13)
To expand on the previous answers dealing with Bash globals. Might I suggest referencing the `SECONDS` global. You can use this via `echo $SECONDS`, which it then displays the amount of time, since the perceived connection
You can use
last | head
I used this in my .login script for years to see who had recently logged into the system. It was a poor-man-security device to see if someone was on the system using your login.
... but it won't necessarily be a list of active sessions (what this question is about). Depending on the login activity, even the session you ran `last` in may not be listed.