How many Remote Users?

Question

I need to count how many people are logged in remotely into my virtual machine at school. I can tell if someone ssh'd in from host, but am having trouble telling if someone is remotely logged into an XWindows session through VNC or if they are sitting at the console at school. When I log into my school VM from home and do a who, it show this when I am the only one logged in:

 user1   tty7    2013-10-10 23:31 (:1)
 user1   pts/0   2013-10-10 23:23 (:1.0)

Note: No one can log in directly to VM. Must log into school lan, then VM host and then VM. I'm really wondering if it is even considered a remote login if I have to login from my VM's host machine.

Answer 1

who

You'll have to do this using a couple of approaches. You can use the who command to see who's got an active shell or is ssh'ed into your VM.

$ who | cut -d' ' -f1 | sort -u
saml

users

You can also use the command user to see who's logged in. These are users that are currently shown as active in the the log files /var/run/utmp & /var/log/wtmp.

$ users | sed 's/ /\n/g'|sort -u
saml

who revisited

If you use the command who you'll notice the following lines:

$ who
saml     tty1         2013-10-06 10:05 (:0)
saml     pts/0        2013-10-06 10:07 (:0.0)
saml     pts/5        2013-10-07 11:48 (:0.0)

The 2nd column (tty1) means that someone is connected locally to one of the physical terminals. Additionally you'll notice that the 5th column of that line shows (`:0). This means someone is sitting on the VM directly and is running the X desktop.

The other lines like pts/0 are pseudo terminals and are typically what gets created when you create tabs in gnome-terminal or ssh into the box.

VNC?

This one is a bit trickier. There really isn't a way to know this directly especially since the VNC server is integrated into X. Looking for a process shows nothing.

$ pgrep -f vnc
$

You could look for VNC network connections:

$ sudo netstat -anpt | grep -i Xorg
tcp        0      0 0.0.0.0:5900                0.0.0.0:*                   LISTEN      3948/Xorg           
tcp        0      0 0.0.0.0:6000                0.0.0.0:*                   LISTEN      3948/Xorg           
tcp        0      0 192.168.1.3:5900            192.168.1.20:41064          ESTABLISHED 3948/Xorg           
tcp        0      0 :::6000                     :::*                        LISTEN      3948/Xorg

Here you can see that there is a VNC connection from IP 192.168.1.3 to port 5900, which is typically used for VNC, but this port is by no means a guarantee.

When the connection goes away the connections looks like this:

 $ netstat -anpt | grep -i Xorg
tcp        0      0 0.0.0.0:5900                0.0.0.0:*                   LISTEN      3948/Xorg           
tcp        0      0 0.0.0.0:6000                0.0.0.0:*                   LISTEN      3948/Xorg           
tcp        0      0 :::6000                     :::*                        LISTEN      3948/Xorg      

Additionally we could find out if the X server is running VNC, which it appears to be.

$ lsof -p 3948 | grep -i vnc
Xorg    3948 root  mem    REG      253,0   394420   48693751 /usr/lib/xorg/modules/extensions/libvnc.so

Probably your best bet to target in on VNC users is to eliminate who's actually physically on the box (users on physical terminals such as tty1), anyone that has a GNOME session is running a X desktop and is likely using VNC to connect to it.

$ ps -f -p $(pgrep -f gnome-session)
UID        PID  PPID  C STIME TTY          TIME CMD
root     22240  3943  0 Sep29 ?        00:00:00 /usr/bin/gnome-session

References

• what is pts/0 and (:0.0) in linux by type who am i
• “Who” prints duplicated usernames
• What does the who command result root :0 mean?