How to find the machine from which a user logged into current machine using ssh?

In a multi server architecture, is it possible to find out from which machine a user logged into current machine using ssh?

For example, user1 logged into host1. From there, the user logged into host2 as sruser using ssh.

In above example, would it be possible to trace the sruser session of host2 back to user1 session in host1?

Would it be possible to get the hostname or terminal of user1 session?

Here is Solutions:

We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.

Solution 1

The who and last commands might be useful for displaying the host from which users are connected.

Solution 2

If you are an ordinary user on host2, you can see who is currently logged in from where with the who command, and who logged in from where in the past with the last command. Both show the remote host name or IP address for ssh logins; this is usually host1, but can be a gateway that relayed the ssh connection.

It is in principle impossible to know who user1 is. After all, host1 might not even be running a multiuser system, or might be an anonymous relay. This doesn’t mean user2 has absolute privacy amongst the known users of host1; for example, if you’re the administrator on host2, and the user uses public key authentication, and you’ve configured the ssh server to dump information about the public key used, then you can find out the user’s public key, and perhaps correlate it from information obtained elsewhere.

Some past questions on Super User may interest you:

Solution 3

Not sure about Solaris but on Linux lsof -u user | grep \:ssh should work fine

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply