$ Linux One Liners
Back to lessons

Cybersecurity Triage

Find SSH Keys for nologin Users

You need to spot accounts that have authorized_keys files even though their passwd shell is nologin.

Command

comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)

What changed

Nothing changes. The command compares fixture-local passwd accounts with authorized_keys owners.

Danger

safe

When to use it

Use when checking for stale SSH key files after service account changes or offboarding.

When not to use it

Do not assume every match is exploitable; SSH daemon options, forced commands, and account policy can change behavior.

Undo or recovery

No undo needed because this command is read-only.

Expected output

Account names that are nologin in passwd but still have authorized_keys files.

demo script

Disposable terminal steps

  1. awk -F: '{print $1, $7}' fixtures/user-access-audit/etc/passwd | sort
  2. comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ awk -F: '{print $1, $7}' fixtures/user-access-audit/etc/passwd | sort
alex /bin/bash
backup /usr/sbin/nologin
breakglass /bin/bash
daemon /usr/sbin/nologin
deploy /bin/bash
reports /usr/sbin/nologin
root /bin/bash
www-data /usr/sbin/nologin
::exit-code::0
$ comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
reports
::exit-code::0

YouTube Short

Find keys on nologin accounts.

Compare nologin accounts against authorized keys owners to find stale SSH access files that deserve review.

LinkedIn hook

A nologin shell does not automatically mean SSH keys are irrelevant.

Question: Do you check for authorized_keys files on service or nologin accounts?

experiments

A/B tests to run

Metric: completion_rate

A: Find stale key files.

B: Compare nologin users to SSH keys.