Looking into Linux user logins with lslogins

The lslogins command can help you look into details of user accounts and login activity

A password login screen overlaid against an abstract background of data and network connections.
Vladimir Kazakov / Getty Images

One convenient way to list details about user logins on a Linux system is to use the lslogins command. You'll get a very useful and nicely formatted display that includes quite a few important details.

On my system and likely most others, user accounts will start with UID 1000. To list just these accounts rather than include all of the service accounts like daemon, mail and syslog, add the -u option as shown in the example below.

$ sudo lslogins -u
  UID USER                PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS
0 root 151 0 0 root
1000 shs 68 0 0 12:35 Sandra H-S 1001 nemo 0 0 0 2021-Jan05 Nemo Demo,,, 1002 dbell 0 0 1 Dory Bell 1003 shark 2 0 0 7:15 Sharon Hark 1004 tadpole 0 0 0 2020-Dec05 Ted Pole 1005 eel 0 0 0 2021-Jan11 Ellen McDay 1006 bugfarm 0 0 0 2021-Jan01 Bug Farm 1008 dorothy 0 0 1 Dorothy Reuben 1012 jadep 0 0 1 2021-Jan04 Jade Jones 1013 myself 0 0 0 2021-Jan12 My Self 1014 marym 0 0 0 2020-Mar20 Mary McShea 1017 gijoe 0 0 0 GI Joe 65534 nobody 0 0 1 nobody

What the lslogins command does is grab relevant information from system files such as /etc/passwd, /etc/shadow and /var/log/wtmp and lay it out in a format like that shown below. If you run this command without using sudo, you will not be able to retrieve all of the information shown. Non-privileged accounts won't have access to all of the files that are needed.

The display shows the numeric UIDs, usernames and the number of processes running. This output suggests that the first user listed is likely logged in on the system console since she has 68 running processes. What we don't see is that she's also logged in on a pseudo terminal; we'd see two entries for this user if we used the who command.

The next two columns (PWD-LOCK and PWD-DENY) show that four accounts are locked. Each of these has a password hash field in the /etc/shadow file that begins with a "!". In addition, we see only five "recent" logins. (I put "recent" in quotes because March 20, 2020 doesn't seem all that recent to me.) This suggests not only that this user probably doesn't need her account any longer but that the system in general isn't heavily used because the /var/log/wtmp file rolled over in March 2020 or earlier. Since two of those LAST-LOGIN dates only show times--not dates--we know that they're both showing today's logins.

Show details for only one user

If you want to display the details for one particular user only, you can add the username to the command as an argument. You'll see quite a different display format and some additional details:

$ sudo lslogins shs
Username:                           shs
UID:                                1000
Gecos field:                        Sandra H-S
Home directory:                     /home/shs
Shell:                              /bin/bash
No login:                           no
Password is locked:                 no
Password not required:              no
Login by password disabled:         no
Password encryption method:         SHA-512
Primary group:                      shs
GID:                                1000
Supplementary groups:               secteam,sudo
Supplementary group IDs:            11,27
Last login:                         14:44
Last terminal:                      pts/1
Last hostname:                      192.168.0.13
Hushed:                             no
Password expiration warn interval:  7
Password changed:                   2020-Sep30
Maximum change time:                99999
Running processes:                  67

Look for failed logins

To detect failed logins, use the -f option (making the options -uf) as shown in this example:

$ sudo lslogins -uf
 UID USER    FAILED-LOGIN FAILED-TTY
   0 root
1000 shs
1001 nemo
1002 dbell   12:49        ssh:notty
1003 shark
1004 tadpole
1005 eel
1006 bugfarm
1008 dorothy
1012 jadep
1013 myself
1017 gijoe

If you want a list of usernames with failed logins, you could do this:

$ sudo lslogins -f | awk '{if ($4) print $2;}'
USER
dbell

View when passwords were last changed or will be expiring

Use the -a option to display password changing and expiration details.

$ sudo lslogins -ua
UID USER PWD-WARN PWD-MIN PWD-MAX PWD-CHANGE PWD-EXPIR
0 root 7 99999 2020-Sep21
1000 shs 7 99999 2020-Sep30
1001 nemo 7 90 2020-Dec04
1002 dbell 14 90 2020-Oct27
1003 shark 7 10 90 2020-Mar15
1004 tadpole 7 99999 2019-Oct14 2020-Nov10
1005 eel 7 99999 2020-Jan18
1006 bugfarm 7 99999 2020-Jul08
1008 dorothy 7 99999 2019-Jul08
1012 jadep 7 99999 2019-Jul15
1013 myself 7 99999 2020-Jan18
1017 gijoe 7 99999 2020-Nov11

Use : as a field separator

Use the -c option to have your lslogins details colon-separated. This can be helpful if you intend to process this information further.

$ sudo lslogins -c | awk -F ":" '$1 >= 1000 {print}'
UID:USER:PROC:PWD-LOCK:PWD-DENY:LAST-LOGIN:GECOS
1000:shs:68:0:0:14:44:Sandra\x20H-S
1001:nemo:0:0:0:2020-Dec05:Nemo\x20Demo,,,
1002:dbell:0:0:1::Dory\x20Bell
1003:shark:0:0:0::Shark,,,
1004:tadpole:0:0:0::Tad\x20Pole,,,
1005:eel:0:0:0::Ellen,El,,
1006:bugfarm:0:0:0::Bug\x20Farm
1008:dorothy:0:0:1::Dorothy\x20Lee
1012:jadep:0:0:1::Jade\x20Jones
1013:myself:0:0:0::My\x20Self
1017:gijoe:0:0:0::GI\x20Joe
65534:nobody:0:0:1::nobody

List accounts running more than 10 processes

To get a quick list of how many users are running 10 or more processes, you can have the awk command shown below examine the 3rd field in the lslogins output. Fortunately for me, the string "PROC" is also alphanumerically greater than "10", so I don't have to make any extra effort to retain the normal column headings.

$ sudo lslogins | awk '$3 >= 10 {print}'
  UID USER                PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS
    0 root                 152        0        0            root
 1000 shs                   68        0        0      14:44 Sandra H-S

Wrap-Up

The lslogins command provides quite a few useful options for looking into user accounts, but requires using sudo or logging in as root to see all of the details. Check out the man page to learn even more about this command.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2021 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)