$ Linux One Liners
Back to lessons

Cybersecurity Triage

Risk: safe

Count authorized_keys by User

You need to find which home directories have authorized_keys files and how many active key lines each contains.

Command

find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -exec sh -c 'for f do user=$(basename "$(dirname "$(dirname "$f")")"); keys=$(grep -vc "^[[:space:]]*#" "$f"); printf "%s %s %s\n" "$user" "$keys" "$f"; done' sh {} + | sort

Before you run this

Risk: safe. Do not remove keys just because they exist; confirm owner, source system, and current dependency first.

Expected output

Usernames, active key counts, and authorized_keys file paths.

System impact

Nothing changes. The command reads fixture-local authorized_keys files and counts non-comment lines.

Recovery / rollback: no state is changed.

When to use it

Use during SSH access inventory, offboarding, or server handoff when keys may outlive account ownership.

When not to use it

Do not remove keys just because they exist; confirm owner, source system, and current dependency first.

Watch this command run

Example output from a temporary Linux lab

This example uses disposable sample files and sanitized output so you can inspect the shape of the result before touching a real system.

demo@lab:~$

$ find sample-files/user-access-audit/users -path '*/ssh-keys/authorized_keys' -print | sort

sample-files/user-access-audit/users/alex/ssh-keys/authorized_keys
sample-files/user-access-audit/users/breakglass/ssh-keys/authorized_keys
sample-files/user-access-audit/users/deploy/ssh-keys/authorized_keys
sample-files/user-access-audit/users/reports/ssh-keys/authorized_keys

$ find sample-files/user-access-audit/users -path '*/ssh-keys/authorized_keys' -exec sh -c 'for f do user=$(basename "$(dirname "$(dirname "$f")")"); keys=$(grep -vc "^[[:space:]]*#" "$f"); printf "%s %s %s\n" "$user" "$keys" "$f"; done' sh {} + | sort

alex 2 sample-files/user-access-audit/users/alex/ssh-keys/authorized_keys
breakglass 1 sample-files/user-access-audit/users/breakglass/ssh-keys/authorized_keys
deploy 1 sample-files/user-access-audit/users/deploy/ssh-keys/authorized_keys
reports 1 sample-files/user-access-audit/users/reports/ssh-keys/authorized_keys
View reproducible demo details

This page shows the sanitized shell transcript and the setup steps needed to reproduce the example.

Lab setup steps

  1. find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -print | sort
  2. find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -exec sh -c 'for f do user=$(basename "$(dirname "$(dirname "$f")")"); keys=$(grep -vc "^[[:space:]]*#" "$f"); printf "%s %s %s\n" "$user" "$keys" "$f"; done' sh {} + | sort

next steps

Related commands

Cybersecurity Triage Risk: safe

Find SSH Key Users with sudo

The highest-priority access review starts where SSH keys and sudo overlap.

comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
Cybersecurity Triage Risk: safe

Find SSH Keys for nologin Users

A nologin shell does not automatically mean SSH keys are irrelevant.

comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
Cybersecurity Triage Risk: safe

Summarize SSH Authorized Key Types

Key inventory gets more useful when old key types stand out.

find home -path '*/.ssh/authorized_keys' -exec awk '{print $1}' {} + | sort | uniq -c | sort -nr
Cybersecurity Triage Risk: safe

List authorized_keys Files

Authorized keys are the server's practical access list.

find home -path '*/.ssh/authorized_keys' -printf '%m %p\n'
Cybersecurity Triage Risk: safe

Inventory SSH authorized_keys

authorized_keys files are the practical list of who can use key-based SSH.

find home -path '*/.ssh/authorized_keys' -exec awk '{print FILENAME, $1, $NF}' {} +
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:104-filesystems-permissions-fhs
  • lpic1:107-admin-tasks
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:security-hygiene
  • lfcs:storage
  • lfcs:users-groups
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • linuxplus:security
  • linuxplus:system-management
  • risk:read-only
  • risk:security-sensitive

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.