$ Linux One Liners
Back to commands

Cybersecurity Triage

Read-only

List Users with Login Shells

You need to list accounts with shell-like login programs.

Command

awk -F: '$7 ~ /sh$/ {print $1, $7}' etc/passwd

Before you run this

System impact: Read-only. Low when scoped to the shown target.

When not to use it: Do not disable accounts from this output alone; confirm ownership and operational use first.

Expected output

Usernames and login shells for accounts ending in sh.

System impact

Read-only. Nothing changes. The command reads account records and prints shell users.

Recovery / rollback: no state is changed.

When to use it

Use during account inventory, server handoff, or first-response checks.

When not to use it

Do not disable accounts from this output alone; confirm ownership and operational use first.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ cat etc/passwd

root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
alex:x:1000:1000:Alex:/srv/example/users/alex:/bin/bash
deploy:x:1001:1001:Deploy:/srv/example/users/deploy:/bin/bash
backup:x:1002:1002:Backup:/srv/backup:/usr/sbin/nologin

$ awk -F: '$7 ~ /sh$/ {print $1, $7}' etc/passwd

root /bin/bash
alex /bin/bash
deploy /bin/bash
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. cat etc/passwd
  2. awk -F: '$7 ~ /sh$/ {print $1, $7}' etc/passwd

next steps

Related commands

Cybersecurity Triage Sensitive output

Find SSH Keys for nologin Users

A nologin shell does not automatically mean SSH keys are irrelevant.

comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
Cybersecurity Triage Read-only

List Accounts with Login Shells

Login shells are the first account inventory to review.

awk -F: '$7 ~ /(bash|sh|zsh)$/ {printf "%s %s\n", $1, $7}' fixtures/user-access-audit/etc/passwd
Cybersecurity Triage Read-only

Find Password-Enabled Accounts

A shell account with an unlocked password hash deserves extra attention.

awk -F: '$2 !~ /^(!|\*)/ {print $1}' fixtures/user-access-audit/etc/shadow
Cybersecurity Triage Sensitive output

Find SSH Key Users with sudo

The highest-priority access review starts where SSH keys and sudo overlap.

comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
Cybersecurity Triage Sensitive output

Extract SSH AllowUsers Accounts

AllowUsers turns SSH access into an explicit account list.

awk '/^AllowUsers/ {for (i = 2; i <= NF; i++) print $i}' etc/ssh/sshd_config
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:security-hygiene
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.