Find physical machine associated with /dev/pts/N

Question

If i have an operating system with multiple users logged in via ssh, is there any way i can find which physical machine is associated with each /dev/pts/N (where N is an integer)? All i know is the

who

and

ps -aux

commands that will show which user or process is associated with the device files, but can i get any more information about the physical machine that the user/process comes from? Maybe an I.P.?

A pseudo-terminal is not associated with a "physical machine". It's associated with a running process (e.g., ssh session, or a gui terminal window, a window in screen/tmux, etc). You can use ps to find what processes are using a given pts device, and potentially backtrack from there. — larsks, May 02 '22 at 15:38
For what you're trying to do, the ss (or netstat) command might be more useful (e.g., ss -tnp | grep sshd) — larsks, May 02 '22 at 15:38
Could you use one of the answers here?: https://unix.stackexchange.com/questions/92560/list-all-connected-ssh-sessions — thanasisp, May 02 '22 at 15:49
@larsks at the end of the day i was getting confused because the process was spawned at the initialization of the machine (parent PID=1). So what you say makes perfect sense. I was looking for a ssh session or something similar, but there is none. Can you post your comment as an answer? — Marco Montevechi Filho, May 03 '22 at 12:41
Glad to help. I've posted the comments as an answer (with a slightly longer example). — larsks, May 03 '22 at 13:24

score 1 · Answer 1 · answered May 03 '22 at 13:32

SSH (and mosh) actually populate the utmp/wtmp files that e.g. who and last read with some useful information, including the remote IP address.

~$ who
...
ilkkachu  pts/26       2022-05-03 16:27 (127.0.0.1)
$ last -1a
ilkkachu  pts/26       Tue May  3 16:27   still logged in    127.0.0.1

Though you might want to grep for the correct tty name:

$ who | grep "pts/26"
ilkkachu  pts/26       2022-05-03 16:27 (127.0.0.1)

Alternatively, you could chase the list of open files to find the SSH process holding an fd on the tty, and then the corresponding network socket.

The command who indeed helped me. Particularly who -d showed that /pts/N was associated with a dead session. So in the end, although the process was communicating with a machine, it was not the machine that spawned it. — Marco Montevechi Filho, May 03 '22 at 17:14

score 0 · Accepted Answer · answered May 03 '22 at 13:24

A pseudo-terminal is not associated with a "physical machine". It's associated with a running process (e.g., ssh session, or a gui terminal window, a window in screen/tmux, etc). You can use ps to find what processes are using a given pts device, and potentially backtrack from there.

For what you're trying to do, the ss (or netstat) command might be more useful. For example, I can find the remote addresses associated with active ssh connections by running something like:

$ ss -tnp | grep sshd | grep ESTAB
ESTAB      0      0      192.168.1.200:22                 1.2.3.4:39240               users:(("sshd",pid=2706,fd=3))
ESTAB      0      0      192.168.1.200:22                 4.3.2.1:39242               users:(("sshd",pid=2809,fd=3),("sshd",pid=2771,fd=3))

You helped me elucidate some wrong thoughts i was having: i was mistaking /dev/pts/N files with active ssh sessions. Indeed, although the process was associated with a pts/N, the pts was not associated with any active ssh session. ss helped me find the machine that the process was communicating with. Thanks! — Marco Montevechi Filho, May 03 '22 at 17:11

Find physical machine associated with /dev/pts/N

2 Answers2