Looking into Linux user logins with lslogins
One convenient way to list details about user logins on a Linux system is to use the lslogins command. You’ll get a very useful and nicely formatted display that includes quite a few important details.
On my system and likely most others, user accounts will start with UID 1000. To list just these accounts rather than include all of the service accounts like daemon, mail and syslog, add the -u option as shown in the example below.
$ sudo lslogins -u UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS
0 root 151 0 0 root
1000 shs 68 0 0 12:35 Sandra H-S 1001 nemo 0 0 0 2021-Jan05 Nemo Demo,,, 1002 dbell 0 0 1 Dory Bell 1003 shark 2 0 0 7:15 Sharon Hark 1004 tadpole 0 0 0 2020-Dec05 Ted Pole 1005 eel 0 0 0 2021-Jan11 Ellen McDay 1006 bugfarm 0 0 0 2021-Jan01 Bug Farm 1008 dorothy 0 0 1 Dorothy Reuben 1012 jadep 0 0 1 2021-Jan04 Jade Jones 1013 myself 0 0 0 2021-Jan12 My Self 1014 marym 0 0 0 2020-Mar20 Mary McShea 1017 gijoe 0 0 0 GI Joe 65534 nobody 0 0 1 nobody
What the lslogins command does is grab relevant information from system files such as /etc/passwd, /etc/shadow and /var/log/wtmp and lay it out in a format like that shown below. If you run this command without using sudo, you will not be able to retrieve all of the information shown. Non-privileged accounts won’t have access to all of the files that are needed.
The display shows the numeric UIDs, usernames and the number of processes running. This output suggests that the first user listed is likely logged in on the system console since she has 68 running processes. What we don’t see is that she’s also logged in on a pseudo terminal; we’d see two entries for this user if we used the who command.
The next two columns (PWD-LOCK and PWD-DENY) show that four accounts are locked. Each of these has a password hash field in the /etc/shadow file that begins with a “!”. In addition, we see only five “recent” logins. (I put “recent” in quotes because March 20, 2020 doesn’t seem all that recent to me.) This suggests not only that this user probably doesn’t need her account any longer but that the system in general isn’t heavily used because the /var/log/wtmp file rolled over in March 2020 or earlier. Since two of those LAST-LOGIN dates only show times–not dates–we know that they’re both showing today’s logins.
Show details for only one user
If you want to display the details for one particular user only, you can add the username to the command as an argument. You’ll see quite a different display format and some additional details:
$ sudo lslogins shs Username: shs UID: 1000 Gecos field: Sandra H-S Home directory: /home/shs Shell: /bin/bash No login: no Password is locked: no Password not required: no Login by password disabled: no Password encryption method: SHA-512 Primary group: shs GID: 1000 Supplementary groups: secteam,sudo Supplementary group IDs: 11,27 Last login: 14:44 Last terminal: pts/1 Last hostname: 192.168.0.13 Hushed: no Password expiration warn interval: 7 Password changed: 2020-Sep30 Maximum change time: 99999 Running processes: 67
Look for failed logins
To detect failed logins, use the -f option (making the options -uf) as shown in this example:
$ sudo lslogins -uf UID USER FAILED-LOGIN FAILED-TTY 0 root 1000 shs 1001 nemo 1002 dbell 12:49 ssh:notty 1003 shark 1004 tadpole 1005 eel 1006 bugfarm 1008 dorothy 1012 jadep 1013 myself 1017 gijoe
If you want a list of usernames with failed logins, you could do this:
$ sudo lslogins -f | awk '{if ($4) print $2;}' USER dbell
View when passwords were last changed or will be expiring
Use the -a option to display password changing and expiration details.
$ sudo lslogins -ua
UID USER PWD-WARN PWD-MIN PWD-MAX PWD-CHANGE PWD-EXPIR
0 root 7 99999 2020-Sep21
1000 shs 7 99999 2020-Sep30
1001 nemo 7 90 2020-Dec04
1002 dbell 14 90 2020-Oct27
1003 shark 7 10 90 2020-Mar15
1004 tadpole 7 99999 2019-Oct14 2020-Nov10
1005 eel 7 99999 2020-Jan18
1006 bugfarm 7 99999 2020-Jul08
1008 dorothy 7 99999 2019-Jul08
1012 jadep 7 99999 2019-Jul15
1013 myself 7 99999 2020-Jan18
1017 gijoe 7 99999 2020-Nov11
Use : as a field separator
Use the -c option to have your lslogins details colon-separated. This can be helpful if you intend to process this information further.
$ sudo lslogins -c | awk -F ":" '$1 >= 1000 {print}' UID:USER:PROC:PWD-LOCK:PWD-DENY:LAST-LOGIN:GECOS 1000:shs:68:0:0:14:44:Sandrax20H-S 1001:nemo:0:0:0:2020-Dec05:Nemox20Demo,,, 1002:dbell:0:0:1::Doryx20Bell 1003:shark:0:0:0::Shark,,, 1004:tadpole:0:0:0::Tadx20Pole,,, 1005:eel:0:0:0::Ellen,El,, 1006:bugfarm:0:0:0::Bugx20Farm 1008:dorothy:0:0:1::Dorothyx20Lee 1012:jadep:0:0:1::Jadex20Jones 1013:myself:0:0:0::Myx20Self 1017:gijoe:0:0:0::GIx20Joe 65534:nobody:0:0:1::nobody
List accounts running more than 10 processes
To get a quick list of how many users are running 10 or more processes, you can have the awk command shown below examine the 3rd field in the lslogins output. Fortunately for me, the string “PROC” is also alphanumerically greater than “10”, so I don’t have to make any extra effort to retain the normal column headings.
$ sudo lslogins | awk '$3 >= 10 {print}' UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS 0 root 152 0 0 root 1000 shs 68 0 0 14:44 Sandra H-S
Wrap-Up
The lslogins command provides quite a few useful options for looking into user accounts, but requires using sudo or logging in as root to see all of the details. Check out the man page to learn even more about this command.
Copyright © 2021 IDG Communications, Inc.