$ Linux One Liners
Back to lessons

Cybersecurity Triage

Extract SSH AllowUsers Accounts

You need to extract each account named in an AllowUsers directive.

Command

awk '/^AllowUsers/ {for (i = 2; i <= NF; i++) print $i}' etc/ssh/sshd_config

What changed

Nothing changes. The command reads sshd_config and prints each allowed account on its own line.

Danger

safe

When to use it

Use during account reviews, server handoffs, or when checking whether a user is excluded by SSH allow-list policy.

When not to use it

Do not assume this is the complete access list if AllowGroups, Match blocks, PAM, or cloud-side controls also apply.

Undo or recovery

No undo needed because this command is read-only.

Expected output

One SSH AllowUsers account per line.

demo script

Disposable terminal steps

  1. grep '^AllowUsers' etc/ssh/sshd_config
  2. awk '/^AllowUsers/ {for (i = 2; i <= NF; i++) print $i}' etc/ssh/sshd_config
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ grep '^AllowUsers' etc/ssh/sshd_config
AllowUsers alice deploy
::exit-code::0
$ awk '/^AllowUsers/ {for (i = 2; i <= NF; i++) print $i}' etc/ssh/sshd_config
alice
deploy
::exit-code::0

YouTube Short

Extract SSH AllowUsers.

Split AllowUsers into one account per line so the SSH allow-list is easy to review.

LinkedIn hook

AllowUsers turns SSH access into an explicit account list.

Question: Do you extract SSH AllowUsers into a reviewable account list?

experiments

A/B tests to run

Metric: save_rate

A: Review the SSH allow-list.

B: One AllowUsers account per line.