Cybersecurity Triage
Read-only, sensitive outputFind SSH Key Users with sudo
You need to identify users who both have authorized_keys files and appear in the sudo group.
Command
comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)Before you run this
System impact: Read-only. Output may expose users, paths, tokens, keys, IPs, process arguments, or log details.
When not to use it: Do not treat this as the only privilege path; direct sudoers rules and other privileged groups can matter too.
Expected output
Usernames present in both the authorized_keys owner list and the sudo group.
System impact
Read-only, sensitive output. Nothing changes. The command compares fixture-local SSH key owners with sudo group members.
May require elevated permissions on protected paths or service-owned files.
Recovery / rollback: no state is changed.
When to use it
Use during access reviews to prioritize accounts that can log in by key and elevate privileges.
When not to use it
Do not treat this as the only privilege path; direct sudoers rules and other privileged groups can matter too.
Explanation-only example
Illustrated output, not a live lab run
This example is intentionally illustrative. It shows the command shape without killing real processes or changing your machine.
$ find sample-files/user-access-audit/users -path '*/ssh-keys/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort
alex
breakglass
deploy
reports$ comm -12 <(find sample-files/user-access-audit/users -path '*/ssh-keys/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' sample-files/user-access-audit/etc/group | sort)
alex
breakglassView commands shown
These are the commands shown in the sanitized transcript.
Commands shown
find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sortcomm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
next steps
Related commands
Find SSH Keys for nologin Users
A nologin shell does not automatically mean SSH keys are irrelevant.
comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
Count authorized_keys by User
authorized_keys is the practical SSH access list.
find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -exec sh -c 'for f do user=$(basename "$(dirname "$(dirname "$f")")"); keys=$(grep -vc "^[[:space:]]*#" "$f"); printf "%s %s %s\n" "$user" "$keys" "$f"; done' sh {} + | sort
Summarize SSH Authorized Key Types
Key inventory gets more useful when old key types stand out.
find home -path '*/.ssh/authorized_keys' -exec awk '{print $1}' {} + | sort | uniq -c | sort -nr
Inventory SSH authorized_keys
authorized_keys files are the practical list of who can use key-based SSH.
find home -path '*/.ssh/authorized_keys' -exec awk '{print FILENAME, $1, $NF}' {} +
Find Loose authorized_keys Modes
SSH key access files should not be looser than intended.
find home -path '*/.ssh/authorized_keys' -printf '%m %p\n' | awk '$1 > 600'
Study mapping
Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.
Useful for
- LPIC-1 style command-line practice
- LFCS style performance tasks
- Linux+ style troubleshooting review
Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.