$ Linux One Liners
Back to lessons

Cybersecurity Triage

Count authorized_keys by User

You need to find which home directories have authorized_keys files and how many active key lines each contains.

Command

find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -exec sh -c 'for f do user=$(basename "$(dirname "$(dirname "$f")")"); keys=$(grep -vc "^[[:space:]]*#" "$f"); printf "%s %s %s\n" "$user" "$keys" "$f"; done' sh {} + | sort

What changed

Nothing changes. The command reads fixture-local authorized_keys files and counts non-comment lines.

Danger

safe

When to use it

Use during SSH access inventory, offboarding, or server handoff when keys may outlive account ownership.

When not to use it

Do not remove keys just because they exist; confirm owner, source system, and current dependency first.

Undo or recovery

No undo needed because this command is read-only.

Expected output

Usernames, active key counts, and authorized_keys file paths.

demo script

Disposable terminal steps

  1. find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -print | sort
  2. find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -exec sh -c 'for f do user=$(basename "$(dirname "$(dirname "$f")")"); keys=$(grep -vc "^[[:space:]]*#" "$f"); printf "%s %s %s\n" "$user" "$keys" "$f"; done' sh {} + | sort
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -print | sort
fixtures/user-access-audit/home/alex/.ssh/authorized_keys
fixtures/user-access-audit/home/breakglass/.ssh/authorized_keys
fixtures/user-access-audit/home/deploy/.ssh/authorized_keys
fixtures/user-access-audit/home/reports/.ssh/authorized_keys
::exit-code::0
$ find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -exec sh -c 'for f do user=$(basename "$(dirname "$(dirname "$f")")"); keys=$(grep -vc "^[[:space:]]*#" "$f"); printf "%s %s %s\n" "$user" "$keys" "$f"; done' sh {} + | sort
alex 2 fixtures/user-access-audit/home/alex/.ssh/authorized_keys
breakglass 1 fixtures/user-access-audit/home/breakglass/.ssh/authorized_keys
deploy 1 fixtures/user-access-audit/home/deploy/.ssh/authorized_keys
reports 1 fixtures/user-access-audit/home/reports/.ssh/authorized_keys
::exit-code::0

YouTube Short

Count SSH keys by user.

Find authorized keys files, count active key lines, and turn scattered SSH access into a reviewable list.

LinkedIn hook

authorized_keys is the practical SSH access list.

Question: Do you count authorized_keys entries by user during offboarding?

experiments

A/B tests to run

Metric: watch_time

A: Count SSH keys by user.

B: Turn keys into an access list.