261

I just SSH'd into root, and then SSH'd again into root on the same machine. So I have two windows open both SSH'd into root on my remote machine.

From the shell, how can I see a list of these two sessions?

themirror
  • 6,988

7 Answers7

258

who or w; who -a for additional information.

These commands just show all login sessions on a terminal device. An SSH session will be on a pseudo-terminal slave (pts) as shown in the TTY column, but not all pts connections are SSH sessions. For instance, programs that create a pseudo-terminal device such as xterm or screen will show as pts. See Difference between pts and tty for a better description of the different values found in the TTY column. Furthermore, this approach won't show anybody who's logged in to an SFTP session, since SFTP sessions aren't shell login sessions.

I don't know of any way to explicitly show all SSH sessions. You can infer this information by reading login information from utmp/wtmp via a tool like last, w, or who like I've just described, or by using networking tools like @sebelk described in their answer to find open tcp connections on port 22 (or wherever your SSH daemon(s) is/are listening).

A third approach you could take is to parse the log output from the SSH daemon. Depending on your OS distribution, SSH distribution, configuration, and so on, your log output may be in a number of different places. On an RHEL 6 box, I found the logs in /var/log/sshd.log. On an RHEL 7 box, and also on an Arch Linux box, I needed to use journalctl -u sshd to view the logs. Some systems might output SSH logs to syslog. Your logs may be in these places or elsewhere. Here's a sample of what you might see:

[myhost ~]% grep hendrenj /var/log/sshd.log | grep session
May  1 15:57:11 myhost sshd[34427]: pam_unix(sshd:session): session opened for user hendrenj by (uid=0)
May  1 16:16:13 myhost sshd[34427]: pam_unix(sshd:session): session closed for user hendrenj
May  5 14:27:09 myhost sshd[43553]: pam_unix(sshd:session): session opened for user hendrenj by (uid=0)
May  5 18:23:41 myhost sshd[43553]: pam_unix(sshd:session): session closed for user hendrenj

The logs show when sessions open and close, who the session belongs to, where the user is connecting from, and more. However, you're going to have to do a lot of parsing if you want to get this from a simple, human-readable log of events to a list of currently active sessions, and it still probably won't be an accurate list when you're done parsing, since the logs don't actually contain enough information to determine which sessions are still active - you're essentially just guessing. The only advantage you gain by using these logs is that the information comes directly from SSHD instead of via a secondhand source like the other methods.

I recommend just using w. Most of the time, this will get you the information you want.

Glastis
  • 40
  • 6
jayhendren
  • 8,384
  • 2
  • 33
  • 58
169

You can see every session ssh with the following command:

[root@router ~]# netstat -tnpa | grep 'ESTABLISHED.*sshd'
tcp        0      0 192.168.1.136:22            192.168.1.147:45852         ESTABLISHED 1341/sshd           
tcp        0      0 192.168.1.136:22            192.168.1.147:45858         ESTABLISHED 1360/sshd

Or perhaps this may be useful:

[root@router ~]# ps auxwww | grep sshd:
root      1341  0.0  0.4  97940  3952 ?        Ss   20:31   0:00 sshd: root@pts/0 
root      1360  0.0  0.5  97940  4056 ?        Ss   20:32   0:00 sshd: root@pts/1 
root      1397  0.0  0.1 105300   888 pts/0    S+   20:37   0:00 grep sshd:
sebelk
  • 4,389
21

Expanding on @sebelk's answer:

The solution using netstat is a good one but requires root privileges. In addition, the net-tools package (which provides netstat) was deprecated in some newer Linux distro's (https://dougvitale.wordpress.com/2011/12/21/deprecated-linux-networking-commands-and-their-replacements/).

An alternative solution is then to use the replacement for netstat, ss. For example (note you no longer need root):

user@router:~# ss | grep ssh
tcp    ESTAB      0      0      192.168.1.136:ssh                  192.168.1.147:37620                
tcp    ESTAB      0      0      192.168.1.136:ssh                  192.168.1.147:37628
A.Meijer
  • 311
  • On some ss binaries (perhaps the newer ones), the port is shown instead of ssh. So, if you configured you SSH server port on 2358 for instance, you'll have to do ss | grep 2358. – MAChitgarha Feb 15 '21 at 20:30
  • 2
    the good thing with netstat -tanp is that it gets the process name, and that makes it easy to grep on, instead of greping on portnumber which also would show any outgoing connections etc. – NiKiZe May 11 '21 at 12:18
20

You can also use

ps ax | grep sshd
Joel Inglao
  • 301
11

Added for simple reference.

If you are in a pseudo shell (example: /dev/pts/0 ) one of the simplest ways would be:

[user1@host ~]$ echo $SSH_CONNECTION

It should return: your ip and port and the ip your connected to and port

192.168.0.13 50473 192.168.0.22 22

You can also get some info from using tty or who (w): (edit: I see it's now list above in another post)

[user1@host ~]$ who
user1 tty1          2018-01-03 18:43
user2 pts/0        2018-01-03 18:44 (192.168.0.13)
  • To expand on the previous answers dealing with Bash globals. Might I suggest referencing the SECONDS global. You can use this via echo $SECONDS, which it then displays the amount of time, since the perceived connection – NerdOfCode Sep 04 '18 at 15:19
  • 1
    This will display information for the currently active session — the one you're typing into. But the question asks how to list all the currently connected sessions. – G-Man Says 'Reinstate Monica' Dec 20 '18 at 04:38
7

I executed almost all the above commands and I think the best way to find the currently logged in users via ssh are

last | grep "still logged in"

AND 

who -a
drmaa
  • 177
6

You can use

last | head

I used this in my .login script for years to see who had recently logged into the system. It was a poor-man-security device to see if someone was on the system using your login.

J.O. Williams
  • 79