Quickly discover who is currently logged into your Linux system. 31.05.2026 | reading time: 2 min The `who` command reveals which accounts are logged into a Linux machine and on which terminals; it is a fast way to check active sessions and basic login metadata. See it in action Try this short session to observe `who` output and a more detailed view with `who -u`: ```bash $ who alice pts/0 May 31 09:12 (192.0.2.10) bob pts/1 May 31 10:02 (198.51.100.5) $ who -u alice pts/0 May 31 09:12 00:30 1234 (192.0.2.10) bob pts/1 May 31 10:02 00:05 2345 (198.51.100.5) ``` What the columns mean Typical `who` columns show username, terminal, login time and originating host; `who -u` often adds idle time and the process id, while `who -H` prints headers and `who -q` lists users with a count; use `who -a` to dump all available information and `who am i` to see the current session. Practical combinations Combine `who` with `grep`, `awk` or `sort` to filter sessions, pipe into `mail` or scripts for simple alerts, and cross-check with `last` or `w` when investigating suspicious activity or troubleshooting multiuser problems. Good companions For richer session info use `w` to see current processes per user, `last` for historical logins from `/var/log/wtmp`, and `whoami` to report the effective username of the current shell. Final note Mastering `who` helps with everyday auditing and incident triage; extend that skill by exploring related commands and consider formalizing knowledge with certifications like CompTIA Linux+ or LPIC-1 and intensive exam preparation at bitsandbytes.academy to level up. Join Bits & Bytes Academy First class LINUX exam preparation. utilities processes security troubleshooting
