$ Linux One Liners
Back to lessons

Cybersecurity Triage

Find SSH Key Users with sudo

You need to identify users who both have authorized_keys files and appear in the sudo group.

Command

comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)

What changed

Nothing changes. The command compares fixture-local SSH key owners with sudo group members.

Danger

safe

When to use it

Use during access reviews to prioritize accounts that can log in by key and elevate privileges.

When not to use it

Do not treat this as the only privilege path; direct sudoers rules and other privileged groups can matter too.

Undo or recovery

No undo needed because this command is read-only.

Expected output

Usernames present in both the authorized_keys owner list and the sudo group.

demo script

Disposable terminal steps

  1. find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort
  2. comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort
alex
breakglass
deploy
reports
::exit-code::0
$ comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
alex
breakglass
::exit-code::0

YouTube Short

Find key users with sudo.

Compare authorized keys owners with sudo group members. Accounts in both lists deserve the first review pass.

LinkedIn hook

The highest-priority access review starts where SSH keys and sudo overlap.

Question: Do you prioritize accounts that have both SSH keys and sudo access?

experiments

A/B tests to run

Metric: save_rate

A: SSH keys plus sudo is priority access.

B: Find the overlap first.