0

If i have an operating system with multiple users logged in via ssh, is there any way i can find which physical machine is associated with each /dev/pts/N (where N is an integer)? All i know is the

who

and

ps -aux

commands that will show which user or process is associated with the device files, but can i get any more information about the physical machine that the user/process comes from? Maybe an I.P.?

Improve this question
5
  • A pseudo-terminal is not associated with a "physical machine". It's associated with a running process (e.g., ssh session, or a gui terminal window, a window in screen/tmux, etc). You can use ps to find what processes are using a given pts device, and potentially backtrack from there. Commented May 2, 2022 at 15:38
  • For what you're trying to do, the ss (or netstat) command might be more useful (e.g., ss -tnp | grep sshd) Commented May 2, 2022 at 15:38
  • Could you use one of the answers here?: unix.stackexchange.com/questions/92560/… Commented May 2, 2022 at 15:49
  • @larsks at the end of the day i was getting confused because the process was spawned at the initialization of the machine (parent PID=1). So what you say makes perfect sense. I was looking for a ssh session or something similar, but there is none. Can you post your comment as an answer? Commented May 3, 2022 at 12:41
  • Glad to help. I've posted the comments as an answer (with a slightly longer example). Commented May 3, 2022 at 13:24

2 Answers 2

Reset to default
1

SSH (and mosh) actually populate the utmp/wtmp files that e.g. who and last read with some useful information, including the remote IP address.

~$ who ... ilkkachu pts/26 2022-05-03 16:27 (127.0.0.1) $ last -1a ilkkachu pts/26 Tue May 3 16:27 still logged in 127.0.0.1

Though you might want to grep for the correct tty name:

$ who | grep "pts/26" ilkkachu pts/26 2022-05-03 16:27 (127.0.0.1)

Alternatively, you could chase the list of open files to find the SSH process holding an fd on the tty, and then the corresponding network socket.

Improve this answer
1
  • The command who indeed helped me. Particularly who -d showed that /pts/N was associated with a dead session. So in the end, although the process was communicating with a machine, it was not the machine that spawned it. Commented May 3, 2022 at 17:14
0

A pseudo-terminal is not associated with a "physical machine". It's associated with a running process (e.g., ssh session, or a gui terminal window, a window in screen/tmux, etc). You can use ps to find what processes are using a given pts device, and potentially backtrack from there.

For what you're trying to do, the ss (or netstat) command might be more useful. For example, I can find the remote addresses associated with active ssh connections by running something like:

$ ss -tnp | grep sshd | grep ESTAB ESTAB 0 0 192.168.1.200:22 1.2.3.4:39240 users:(("sshd",pid=2706,fd=3)) ESTAB 0 0 192.168.1.200:22 4.3.2.1:39242 users:(("sshd",pid=2809,fd=3),("sshd",pid=2771,fd=3))
Improve this answer
1
  • You helped me elucidate some wrong thoughts i was having: i was mistaking /dev/pts/N files with active ssh sessions. Indeed, although the process was associated with a pts/N, the pts was not associated with any active ssh session. ss helped me find the machine that the process was communicating with. Thanks! Commented May 3, 2022 at 17:11

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.