The who command in Linux: show users connected to the system

Posted on by BlockmyIP | Category: Linux terminal commands

Introduction

In any Linux environment, knowing who is logged into the system at a given moment is essential for administration, security, and technical support. The who command is a simple yet powerful tool that displays information about users who have logged into the machine, either locally or remotely. In this article we will explore how it works, its most useful options, and practical examples you can apply immediately.

What exactly does the who command do?

The who command reads the file /var/run/utmp (or its equivalent /var/log/wtmp in some distributions) and extracts active login records. Each line of output represents a user session and contains, by default, the following fields:

  • Username: the login that started the session.
  • Terminal: the device or pseudo‑terminal associated (for example, tty1, pts/0).
  • Login date and time: when the connection was established.
  • Origin (optional): the IP address or hostname from which the user connected, when available.

This information is valuable for detecting unauthorized access, managing open sessions, or simply knowing who is working on the server.

Basic usage

Running who without arguments shows all active sessions:

who

Typical output:

user1   tty7         2025-09-20 08:15 (:0)
user2   pts/0        2025-09-20 09:03 (192.168.1.45)
user3   pts/1        2025-09-20 09:12 (10.0.0.22)

Each column is separated by spaces or tabs, making it easy to process with tools like awk or cut.

Most used options

The who command has several options that extend its usefulness. Below are the most relevant:

  • -b or --boot: shows the time of the last system boot.
  • -H or --heading: includes a header line describing each column.
  • -q or --count: only shows the number of logged‑in users and their names.
  • -u: adds information about idle time and the PID of the shell process.
  • -a or --all: equivalent to using -b -d --login -p -r -t -T -u and displays all available information.
  • --help: shows a brief help summary.

For example, to see the boot time and the header:

who -bH

Output:

NAME     LINE         TIME             COMMENT
system boot  2025-09-20 06:45

Practical examples

Let’s look at some scenarios where who is especially useful.

1. Detect remote sessions

If you want to know who is connected via SSH, you can filter by pseudo‑terminals (pts/*):

who | grep 'pts/'

2. Count active users

To quickly get the number of connected users:

who -q

Output:

user1 user2 user3
# users=3

3. View idle time

The -u option shows how long each terminal has been idle:

who -u

Example output:

user1   tty7         2025-09-20 08:15 08:15   1234 (:0)
user2   pts/0        2025-09-20 09:03 00:10   5678 (192.168.1.45)


The fifth column indicates hours:minutes of idle time; a dot (.) means the session is active at this moment.


4. Combine with watch for real‑time monitoring


To watch for changes in connections every 5 seconds:


watch -n 5 who -H

5. Get only unique usernames

If you need a list without duplicates:

who | awk '{print $1}' | sort -u

Administration and security tips

The who command is a first line of defense for access audits. Some good practices include:

  • Periodically review the output of who -a to detect inactive accounts or orphaned processes.
  • Combine who with last to obtain a history of login and logout sessions.
  • In monitoring scripts, use who -q to trigger alerts when the number of users exceeds a threshold.
  • Remember that who only shows current sessions; for a full history, consult /var/log/wtmp with last or lastb.

Limitations and alternatives

Although who is very useful, it has some limitations:

  • It does not show running processes; for that use ps or top.
  • In containers or environments with complex usernames, the output may be less readable.
  • It does not provide information about resource consumption per session.

When more detailed metrics are needed, tools like w (which combines information from who and uptime) or ss for network connections can be complementary.

Conclusion

The who command is an essential tool for any Linux administrator who needs to know, quickly and reliably, who is connected to the system. Its simple syntax, flexible options, and ability to be combined with other shell utilities make it ideal for both diagnostic tasks and automation scripts. Mastering who will let you maintain better control over access to your servers and respond swiftly to any security incident.

This post is also available in ESPAÑOL.

Leave a Reply

Your email address will not be published. Required fields are marked *

Esta obra está bajo una Licencia Creative Commons Atribución 4.0 Internacional para Francesc Roig francesc@vivaldi.net .