Cybersecurity Triage
Risk: safeFind SSH Keys for nologin Users
You need to spot accounts that have authorized_keys files even though their passwd shell is nologin.
Command
comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)Before you run this
Risk: safe. Do not assume every match is exploitable; SSH daemon options, forced commands, and account policy can change behavior.
Expected output
Account names that are nologin in passwd but still have authorized_keys files.
System impact
Nothing changes. The command compares fixture-local passwd accounts with authorized_keys owners.
Recovery / rollback: no state is changed.
When to use it
Use when checking for stale SSH key files after service account changes or offboarding.
When not to use it
Do not assume every match is exploitable; SSH daemon options, forced commands, and account policy can change behavior.
Watch this command run
Example output from a temporary Linux lab
This example uses disposable sample files and sanitized output so you can inspect the shape of the result before touching a real system.
$ awk -F: '{print $1, $7}' sample-files/user-access-audit/etc/passwd | sort
alex /bin/bash
backup /usr/sbin/nologin
breakglass /bin/bash
daemon /usr/sbin/nologin
deploy /bin/bash
reports /usr/sbin/nologin
root /bin/bash
www-data /usr/sbin/nologin$ comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' sample-files/user-access-audit/etc/passwd | sort) <(find sample-files/user-access-audit/users -path '*/ssh-keys/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
reportsView reproducible demo details
This page shows the sanitized shell transcript and the setup steps needed to reproduce the example.
Lab setup steps
awk -F: '{print $1, $7}' fixtures/user-access-audit/etc/passwd | sortcomm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
next steps
Related commands
Find SSH Key Users with sudo
The highest-priority access review starts where SSH keys and sudo overlap.
comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
Count authorized_keys by User
authorized_keys is the practical SSH access list.
find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -exec sh -c 'for f do user=$(basename "$(dirname "$(dirname "$f")")"); keys=$(grep -vc "^[[:space:]]*#" "$f"); printf "%s %s %s\n" "$user" "$keys" "$f"; done' sh {} + | sort
List Accounts with Login Shells
Login shells are the first account inventory to review.
awk -F: '$7 ~ /(bash|sh|zsh)$/ {printf "%s %s\n", $1, $7}' fixtures/user-access-audit/etc/passwd
Summarize SSH Authorized Key Types
Key inventory gets more useful when old key types stand out.
find home -path '*/.ssh/authorized_keys' -exec awk '{print $1}' {} + | sort | uniq -c | sort -nr
Find Loose authorized_keys Modes
SSH key access files should not be looser than intended.
find home -path '*/.ssh/authorized_keys' -printf '%m %p\n' | awk '$1 > 600'
Study mapping
Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.
Useful for
- LPIC-1 style command-line practice
- LFCS style performance tasks
- Linux+ style troubleshooting review
Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.