Introduction
In any Linux environment, knowing who is connected to the system at a given time is essential for administration, security and technical support. The commandwhois a simple but powerful tool that shows information about users who have login on the machine, either locally or remotely. In this article we will explore its operation, its most useful options and practical examples that you can apply immediately.
What exactly does the command who do?
The commandwhoRead the file/var/run/utmp(or its equivalent/var/log/wtmpin some distributions) and extract the active login records. Each output line represents a user session and contains by default the following fields:
- User name: the login that started the session.
- Terminal: the associated pseudo-terminal device (e.g.,
tty1,pts/0). - Date and time of start: when the connection was established.
- Origin (optional): the IP address or the hostel from which it was connected, when available.
This information is valuable for detecting unauthorized access, managing open sessions or simply knowing who is working on the server.
Basic use
Runwhowithout arguments shows all active sessions:
who
Typical output:
user
Each column is separated by spaces or tabulations, which facilitates processing with tools such asawkorcut.
Most commonly used options
The commandwhohas several options that expand its usefulness. The most relevant ones are:
-bor--boot: shows the time of the last system start.-Hor--heading: includes a headline that describes each column.-qor--count: only shows the number of users connected and their names.-u: adds information about the inactivity time and the PID of the shell process.-aor--all: is equivalent to use-b -d --login -p -r -t -T -uand shows all available information.--help: shows the aid summarized.
For example, to see the start time and header:
who -bH
Output:
Name Line Time Commentariosystem boot 2025-09-20 06: 45
Practical examples
Let's see some scenarios wherewhois particularly useful.
1. Detecting remote sessions
If you want to know who is connected via SSH, you can filter through the pseudo-terminals (pts/*):
who | grep 'sts /'
2. Count active users
To quickly obtain the number of users connected:
who -q
Output:
user
3. See inactivity time
The option-ushows how long each terminal has been without activity:
who -u
Example output:
userThe fifth column indicates hours: minutes of inactivity; one point (
.) means that the session is active at this time.4. Combine with
watchfor real-time monitoringTo observe changes in connections every 5 seconds:
watch -n 5 who -H
5. Get only unique user names
If you need a list without duplicates:
who | awk '{print $1} ' | sort -u
Management and safety councils
The commandwhois a first line of defence for access audits. Some good practices include:
- Review the output of
who -ato detect inactive accounts or orphan processes. - Combine
whowithlastto get a history of starting and closing sessions. - In monitoring scripts, use
who -qto activate alerts when the number of users exceeds a threshold. - Remember that
whoonly shows current sessions; for a full history, consult/var/log/wtmpwithlastorlastb.
Limitations and alternatives
Althoughwhois very useful, has some limitations:
- It does not show running processes; for that it is used
psortop. - In containers or environments with complex user names, the output may be less legible.
- It does not provide information on resource consumption per session.
When more detailed metrics are needed, tools such asw(combining information onwhoanduptime) orssfor network connections can be complementary.
Conclusion
The commandwhois an essential tool for any Linux administrator who needs to know, quickly and reliably, who is connected to the system. Its simple syntax, its flexible options and the possibility of combining it with other shell utilities make it ideal for both diagnostic tasks and automation scripts. DomainwhoIt will allow you to maintain better control over access to your servers and respond quickly to any security incidents.
