How can I Identify who SSH into my Linux System?

Identifying who has logged into your system in Linux is way easier than the Windows Operating System.

In Linux System whenever someone tries to log in using SSH is recorded by the log file, the log file is located in /var/log/auth.log. Location can be different in other distributions.

If you have not found auth.log file in your system, try to execute the below command to view the log from systemctl.

journalctl -u sshd |tail -100
  • -u (Show the user journal for the current)
  • sshd (SSH user created by the system by default)
  • tail -100 (Print top 100 result from the log file)
journalctl of sshd
User logged in using SSH

Get the running process of the logged-in user using w

W command shows who is logged in your system right now with there name, PID, CPU Process, etc.

w command
w commannd
  • USER (Display name of the logged user)
  • TTY (User machine no or TTY Teletype)
  • LOGIN (User login time)
  • IDLE (User not usable time)
  • JCPU (Time user by all process attached to the tty)
  • PCPU (Time used by current process)
  • WHAT (Command currently executing by users)

Following option can be used by w command.

  • -h (Ignore header like USER, TTY, LOGIN, IDLE, JCPU, PCPU, WHAT)
  • -u (Ignore current user process name)
  • -s (Display only USER, TTY, IDLE, WHAT header information)
  • -i (Display IP of remote user)
w -h command
w -h command
w -u command
w -u command
w -s command
w -s command

Get logged in user name and process using who command

Who command is used to get list of logged user login name, process id, and time.

Read More: How to install Yay AUR Helper in Arch and Manjaro Linux

who command
who command

Display the username, line, and time of all currently logged-in sessions:


Display information only for the current terminal session:

who am i

Display all available information:

who -a

Display all available information with table headers:

who -a -H

Feel free to ask your query.

Leave a Reply