Home Linux How To Find Currently Logged In Users In Linux
How To Find Currently Logged In Users In Linux

How To Find Currently Logged In Users In Linux

By sk
376 Views

A Linux system admin should keep an eye on who is currently logged into the Linux system and what are they up to. We already knew how to find the last logged in users in Linux. How would you identify who is logged on your Linux system at the moment and what they are doing? Easy! This tutorial lists various methods to find currently logged in users in Linux.

1. Find currently logged in users in Linux using w command

In Linux operating systems, there is special, single letter command called w that helps you to find who is logged on and what they are doing in the system. This is the most commonly used command line tool to display the information about the users currently on the server, and their processes.

The w command is often useful when you are administering a Linux server that is frequently being accessed by many users. You can track all of them without having to install any additional tools or applications.

The w command shows various useful details including the following:

  • the current time,
  • how long the system has been running,
  • how many users are currently logged on,
  • and the system load averages for the past 1, 5, and 15 minutes.

The w command fetches information about who is currently logged on from the /var/run/utmp file and retrieves the process information from the /proc file.

Now let us see how to use w command to display who is logged in on your Linux machine and what they are doing.

The typical usage of w command is:

$ w [options] user

When you run w command without any options, it will display all currently logged in users in your Linux system:

$ w

Sample output:

 08:42:30 up 28 min,  2 users,  load average: 1.30, 0.87, 0.45
USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
sk       tty1     -                08:41   42.00s  0.10s  0.06s -bash
ostechni pts/1    192.168.225.37   08:42    6.00s  0.09s  0.01s w
Find currently logged in users in Linux using w command
Find currently logged in users in Linux using w command

As you can see in the above output, currently there are two users (sk and ostechni) logged into my Ubuntu server. The w command displays the following details for the individual users:

  • login name,
  • the tty name,
  • source IP address from which the user logged in,
  • login time,
  • idle time,
  • JCPU time (the time used by all processes attached to the tty),
  • PCPU time (the time used by the current process),
  • and the command line of their current process.

If you want to display the details of a specific logged in user (E.g. ostechnix), the command would be:

$ w ostechnix 
 08:51:36 up 37 min,  2 users,  load average: 1.12, 1.06, 0.76
USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
ostechni pts/1    192.168.225.37   08:42    0.00s  0.09s  0.01s w ostech

You can omit the header from the output using -h option:

$ w -h
sk       tty1     -                08:41   16:13   0.10s  0.06s -bash
ostechni pts/1    192.168.225.37   08:42    1.00s  0.09s  0.01s w -h

You can also display IP address instead of hostname for "FROM" (remote hostname) field using -i option:

$ w -i

You may not want to print all the details. If so, you can exclude the login time, JCPU or PCPU times using -s (--short) option:

$ w -s
 09:02:50 up 48 min,  2 users,  load average: 0.31, 0.79, 0.84
USER     TTY      FROM              IDLE WHAT
sk       tty1     -                21:02  -bash
ostechni pts/1    192.168.225.37    1.00s w -s

For more details, check man pages:

$ man w

Or, refer help section:

$ w --help

Usage:
 w [options]

Options:
 -h, --no-header     do not print header
 -u, --no-current    ignore current process username
 -s, --short         short format
 -f, --from          show remote hostname field
 -o, --old-style     old style output
 -i, --ip-addr       display IP address instead of hostname (if possible)

     --help     display this help and exit
 -V, --version  output version information and exit

For more details see w(1).

2. Display all logged in users using who command

The who command is yet another command line tool to display information about users who are currently logged in a Linux machine.

If you run who command without any options, it will display all logged in users:

$ who

Sample output:

sk        tty1         2021-01-12 08:41
ostechnix pts/1        2021-01-12 08:42 (192.168.225.37)
Display currently logged in users in Linux using who command
Display currently logged in users in Linux using who command

As you see in the above output, who command shows the username, type of the terminal device (E.g. tty or pts) on which the session took place, boot time and the source IP address from which the user logged in.

You can filter details for a specific user with grep command:

$ who | grep ostechnix
ostechnix pts/1        2021-01-12 08:42 (192.168.225.37)

The above command will find if the given user ostechnix is logged in or not.

If you want to display information only for the current terminal session, run:

$ who am i
ostechnix pts/1        2021-01-12 08:42 (192.168.225.37)

Please note the spaces between the words. If you execute the above command without any spaces, it will only display the username:

$ whoami 
ostechnix

The who command has few other options to get customised output.

For example, you can display all available information of current logins using -a flag:

$ who -a

Sample output:

           system boot  2021-01-12 08:14
sk       - tty1         2021-01-12 08:41 00:59        1463
           run-level 5  2021-01-12 08:15
ostechnix + pts/1        2021-01-12 08:42   .          1477 (192.168.225.37)
LOGIN      tty6         2021-01-12 08:41              1366 id=tty6

To display all available information with column headers, use -H flag:

$ who -a -H
NAME       LINE         TIME             IDLE          PID COMMENT  EXIT
           system boot  2021-01-12 08:14
sk       - tty1         2021-01-12 08:41 00:59        1463
           run-level 5  2021-01-12 08:15
ostechnix + pts/1        2021-01-12 08:42   .          1477 (192.168.225.37)
LOGIN      tty6         2021-01-12 08:41              1366 id=tty6

For more details, refer the man pages and help section of who command using any one of the following commands:

$ man who
$ who --help

The users command prints the user names of users currently logged in to the current host system.

To display a list of all logged in users in a Linux machine, run:

$ users
ostechnix sk

To get help, run any one of the following commands:

$ man users
$ users --help

4. View logged in users with last command

The last command usually displays all the users that have ever logged in and out of a Linux machine since the /var/log/wtmp file was created.

$ last

The list of currently logged in users are shown at the top.

ostechni pts/1        192.168.225.37   Tue Jan 12 08:42   still logged in
sk       tty1                          Tue Jan 12 08:41   still logged in
ostechni tty1                          Tue Jan 12 08:41 - 08:41  (00:00)
sk       pts/1        192.168.225.37   Tue Jan 12 08:41 - 08:41  (00:00)
[...]

For help, see man pages or use --help option:

$ man last
$ last --help

5. Find who is logged in a Linux system using id command

The id command is used to print user and group information for the specified USER, or for the current user when USER is omitted.

To print the currently logged in user in the current session, run id command with -un options:

$ id -un
ostechnix

This is same as the whoami command.

To get help, do:

$ man id
$ id --help

All of the aforementioned tools are available by default in most Linux distributions. There is one more command line tool available to find who is logged in a Linux system. It is not installed by default, but available in the default repositories of most Linux distributions.

6. List logged in users with finger command

Finger is a command line user information lookup utility. It displays the user's login name, real name, terminal name and write status, idle time, login time, office location and office phone number etc.

The finger program is not installed by default in some Linux distributions. You can install finger in Debian, Ubuntu systems using apt package manager like below:

$ sudo apt install finger

Once installed, run finger command to find logged in users in your Linux system:

$ finger 

Sample output:

Login      Name        Tty      Idle  Login Time   Office     Office Phone
ostechnix  ostechnix   pts/1          Jan 12 08:42 (192.168.225.37)
sk                    *tty1     3:17  Jan 12 08:41

Display information about a specific user:

$ finger ostechnix

Sample output:

Login: ostechnix      			Name: ostechnix
Directory: /home/ostechnix          	Shell: /bin/bash
On since Tue Jan 12 08:42 (UTC) on pts/1 from 192.168.225.37
   2 seconds idle
No mail.
No Plan.

These are a few methods to find the currently logged in users in a Linux system. Knowing who is logged in and finding what they are doing in your system can be helpful at troubleshooting times. I hope one of the aforementioned methods will help you out.

Related read:

You May Also Like

2 comments

Christopher Cox January 14, 2021 - 2:16 am

So… what does “logged in” mean? The utmp/wtmp databases used by “who” and “last” are databases where “something” had to write a record. In other words, there are ways to run even interactive programs on a remote machine and never show up in utmp/wtmp records. Here’s a simple case that works most of the time: ssh some-host bash -i . That will create an “interactive” shell session, but won’t write anything to utmp. Also, you won’t have a tty in that example. but still, it is interactive and you can do stuff. That is, you have a shell on the remote host without a record of being “logged in”. This is just one of a plethora of ways to do this btw. Just pointing out that there is a difference between being “logged in” using the normal ways someone might be on a system, and they ways that somebody that isn’t interested in being normal might get onto a system. I say this mainly for people believing they are protected by monitoring behaviors through things like utmp/wtmp. You might not be as safe as you think and you might want to reconsider what you’re looking for.

Reply
sk January 14, 2021 - 11:12 am

Thanks for the clarification. I really appreciate it.

Reply

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More