1

I would like to know how the command "who" pulls out information about ssh history into a Linux system. For example, on my shared-network workstation, where everyone can ssh into it:

[johny@gandor ~]$ who
johny :0           2018-08-30 06:44 (:0)
johny pts/0        2018-08-30 06:45 (:0.0)
johny pts/1        2018-08-30 06:45 (:0.0)
Keiven pts/2        2018-08-30 19:46 (:50.0)
seman pts/6        2018-08-31 15:15 (:50.0)
johny pts/7        2018-08-31 15:51 (:50.0)
casper pts/8        2018-08-31 16:53 (:50.0)
johny pts/10       2018-09-01 06:25 (:50.0)

I think that this information is, originally, stored somewhere in Linux system files and the command "who" reads that information from that file? if so, where is that file located?

  • If you run `strace who` you'll see exactly what files it's getting the information from. – steve Sep 01 '18 at 10:34
  • 1
    Hi Steve, thank you. I use Cantos 7. I don't see any path from the output of "strace". Also cd into "/var/run/utmp." is not feasible. I mean there is no such file! –  Sep 01 '18 at 10:39
  • 1
    @Kasper: `/var/run/utmp` is a file, so you cannot `cd` into it. You also might want to add the output of `strace -e trace=open who` to your question. – Thomas Sep 01 '18 at 11:02
  • Thank you Zeta, I am new to this forum and I am not familiar with the rules. I will re-edit the question. Thanks! –  Sep 01 '18 at 13:26

2 Answers2

3

If you run strace -e open who, you will see all files that who opens. On Linux, that includes /var/run/utmp. utmp is not a human-readable file, instead it is a sequence of utmp structures (see utmpx(5)). On FreeBSD, who opens /var/run/utx.active.

You can also find this information at who --help, man 1 who or even info who, where the default file is mentioned.

Zeta
  • 1,009
  • 6
  • 10
  • Good answer, hence +1, and generally `strace` is the way to go if you want to know what a program does underneath the hood. If there's no interesting file showing up with `open()` syscalls, that can mean it's likely is communicating with kernel via library and gets information from there. – Sergiy Kolodyazhnyy Sep 01 '18 at 15:26
2

Take a look at the man page for who. e.g. "If FILE is not specified, use /var/run/utmp."

This is not a text file, so opening with vi will offer a poor view of the file contents. od -c /var/run/utmp | more would serve better.

steve
  • 21,582
  • 5
  • 48
  • 75
  • 2
    @Kasper Adding questions to existing questions is frowned upon. A question should have _one_ acceptable answer. If someone now comes along and answers _only_ the `utmp` part, none of the answers would be complete. That's why the general rule is: one post = one question. Feel free to open another post (although I've already answered your additional question in my answer, btw). – Zeta Sep 01 '18 at 13:23
  • And hence https://unix.stackexchange.com/questions/466257/ . – JdeBP Dec 13 '18 at 16:20