Cybersecurity Triage
Read-only, sensitive outputFind SSH Keys for nologin Users
You need to spot accounts that have authorized_keys files even though their passwd shell is nologin.
Command
comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)Before you run this
System impact: Read-only. Output may expose users, paths, tokens, keys, IPs, process arguments, or log details.
When not to use it: Do not assume every match is exploitable; SSH daemon options, forced commands, and account policy can change behavior.
Expected output
Account names that are nologin in passwd but still have authorized_keys files.
System impact
Read-only, sensitive output. Nothing changes. The command compares fixture-local passwd accounts with authorized_keys owners.
May require elevated permissions on protected paths or service-owned files.
Recovery / rollback: no state is changed.
When to use it
Use when checking for stale SSH key files after service account changes or offboarding.
When not to use it
Do not assume every match is exploitable; SSH daemon options, forced commands, and account policy can change behavior.
Explanation-only example
Illustrated output, not a live lab run
This example is intentionally illustrative. It shows the command shape without killing real processes or changing your machine.
$ awk -F: '{print $1, $7}' sample-files/user-access-audit/etc/passwd | sort
alex /bin/bash
backup /usr/sbin/nologin
breakglass /bin/bash
daemon /usr/sbin/nologin
deploy /bin/bash
reports /usr/sbin/nologin
root /bin/bash
www-data /usr/sbin/nologin$ comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' sample-files/user-access-audit/etc/passwd | sort) <(find sample-files/user-access-audit/users -path '*/ssh-keys/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
reportsView commands shown
These are the commands shown in the sanitized transcript.
Commands shown
awk -F: '{print $1, $7}' fixtures/user-access-audit/etc/passwd | sortcomm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
next steps
Related commands
Find SSH Key Users with sudo
The highest-priority access review starts where SSH keys and sudo overlap.
comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
Count authorized_keys by User
authorized_keys is the practical SSH access list.
find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -exec sh -c 'for f do user=$(basename "$(dirname "$(dirname "$f")")"); keys=$(grep -vc "^[[:space:]]*#" "$f"); printf "%s %s %s\n" "$user" "$keys" "$f"; done' sh {} + | sort
List Accounts with Login Shells
Login shells are the first account inventory to review.
awk -F: '$7 ~ /(bash|sh|zsh)$/ {printf "%s %s\n", $1, $7}' fixtures/user-access-audit/etc/passwd
Summarize SSH Authorized Key Types
Key inventory gets more useful when old key types stand out.
find home -path '*/.ssh/authorized_keys' -exec awk '{print $1}' {} + | sort | uniq -c | sort -nr
Find Loose authorized_keys Modes
SSH key access files should not be looser than intended.
find home -path '*/.ssh/authorized_keys' -printf '%m %p\n' | awk '$1 > 600'
Study mapping
Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.
Useful for
- LPIC-1 style command-line practice
- LFCS style performance tasks
- Linux+ style troubleshooting review
Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.