Cybersecurity Triage
Risk: safeFind SSH Key Users with sudo
You need to identify users who both have authorized_keys files and appear in the sudo group.
Command
comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)Before you run this
Risk: safe. Do not treat this as the only privilege path; direct sudoers rules and other privileged groups can matter too.
Expected output
Usernames present in both the authorized_keys owner list and the sudo group.
System impact
Nothing changes. The command compares fixture-local SSH key owners with sudo group members.
Recovery / rollback: no state is changed.
When to use it
Use during access reviews to prioritize accounts that can log in by key and elevate privileges.
When not to use it
Do not treat this as the only privilege path; direct sudoers rules and other privileged groups can matter too.
Watch this command run
Example output from a temporary Linux lab
This example uses disposable sample files and sanitized output so you can inspect the shape of the result before touching a real system.
$ find sample-files/user-access-audit/users -path '*/ssh-keys/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort
alex
breakglass
deploy
reports$ comm -12 <(find sample-files/user-access-audit/users -path '*/ssh-keys/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' sample-files/user-access-audit/etc/group | sort)
alex
breakglassView reproducible demo details
This page shows the sanitized shell transcript and the setup steps needed to reproduce the example.
Lab setup steps
find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sortcomm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
next steps
Related commands
Find SSH Keys for nologin Users
A nologin shell does not automatically mean SSH keys are irrelevant.
comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
Count authorized_keys by User
authorized_keys is the practical SSH access list.
find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -exec sh -c 'for f do user=$(basename "$(dirname "$(dirname "$f")")"); keys=$(grep -vc "^[[:space:]]*#" "$f"); printf "%s %s %s\n" "$user" "$keys" "$f"; done' sh {} + | sort
Summarize SSH Authorized Key Types
Key inventory gets more useful when old key types stand out.
find home -path '*/.ssh/authorized_keys' -exec awk '{print $1}' {} + | sort | uniq -c | sort -nr
Inventory SSH authorized_keys
authorized_keys files are the practical list of who can use key-based SSH.
find home -path '*/.ssh/authorized_keys' -exec awk '{print FILENAME, $1, $NF}' {} +
Find Loose authorized_keys Modes
SSH key access files should not be looser than intended.
find home -path '*/.ssh/authorized_keys' -printf '%m %p\n' | awk '$1 > 600'
Study mapping
Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.
Useful for
- LPIC-1 style command-line practice
- LFCS style performance tasks
- Linux+ style troubleshooting review
Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.