Under Construction
utmp Entries from getty(1)
For logging in via serial ports and the system console, there are entries in /etc/inittab that start a getty(1) process. Here is the entry for the console as an example:
# lsitab cons
cons:0123456789:respawn:/usr/sbin/getty /dev/console
#
As for all other entries, init(1) creates an entry with type 5 (INIT_PROCESS):
# /usr/sbin/acct/fwtmp </etc/utmp | grep cons
cons cons vty0 5 12124356 0000 0000 1642068253 Thu Jan 13 11:04:13 2022
#
Once the getty process has started, it changes the entry in /etc/utmp to an entry of type 6 (LOGIN_PROCESS):
# /usr/sbin/acct/fwtmp </etc/utmp | grep cons
cons vty0 6 12124356 0000 0000 1642068374 Thu Jan 13 11:06:14 2022
#
Note: This usually happens so quickly that you don’t see the type 5 entry in /etc/utmp because it is overwritten immediately.
Note: The type 6 entry is not added to /var/adm/wtmp.
The field ut_user (user name) remains empty, the ID of the inittab entry (here cons) is entered in ut_id and the device name of the interface (here vty0) is entered in ut_line.
For these entries there is also an option of who(1):
$ who -lH
Name Line Time Activity PID Hostname
LOGIN vty0 Jan 13 11:06 0:05 12124356
$
If a valid username and password are entered, getty(1) generates an entry of type 7 (USER_PROCESS).
# /usr/sbin/acct/fwtmp </etc/utmp | grep cons
ize0h29 cons vty0 7 12124356 0000 0000 1642068542 Thu Jan 13 11:09:02 2022
#
This entry overrides the type 6 entry made in /etc/utmp by getty(1) above when getty was started. In contrast to the type 6 entry, which is only recorded in /etc/utmp, the type 7 (USER_PROCESS) entry is also recorded in /var/adm/wtmp. This allows user logins to be tracked via the history in /var/adm/wtmp.
For type 7 entries, the username of the user who logs in is entered in the field ut_user, the ID as usual in ut_id and the interface on which the login takes place in ut_line.
“who” can be used to display the type 7 entries or, for a little more information, “who –u” can be used instead:
$ who -uH
Name Line Time Activity PID Hostname
user1 vty0 Jan 13 11:09 . 12124356
...
$
When the user logs out, the shell exits, killing the process started by init(1) (here with PID 12124356). Accordingly, a type 8 (DEAD_PROCESS) entry is logged in /etc/utmp and /var/adm/wtmp by init(1). The entry with type 7 (USER_PROCESS) is overwritten in /etc/utmp:
# /usr/sbin/acct/fwtmp </etc/utmp | grep cons
cons vty0 8 12124356 0000 0000 1642068614 Thu Jan 13 11:10:14 2022
#
Note: The entry in /etc/utmp is normally not visible because it is immediately overwritten by an entry of type 5 (INIT_PROCESS) after the respawn action. The init(1) process starts a new process immediately, if the old process started with respawn dies. Of course, the new process has a different PID.
The process described above is then repeated.
Finally, we examine the case of failed login attempts.
First, let’s use a bogus username ‘invalid‘:
AIX Version 7
Copyright IBM Corporation, 1982, 2020.
Console login: invalid
invalid's Password: XXXXXXXX
You entered an invalid login name or password.
login:
In this case, getty(1) generates a type 7 (USER_PROCESS) entry in /etc/security/failedlogin:
# /usr/sbin/acct/fwtmp -X </etc/security/failedlogin
…
UNKNOWN_USER vty0 7 12124358 0000 0000 1642069146 Thu Jan 13 11:19:06 2022
#
The character string “UNKNOWN_USER” is used as the user name (ut_user), and the interface is also recorded in ut_line. The hint that this is an entry started by init(1) is missing (ut_id is empty).
Note: No entries are made in /etc/utmp and /var/adm/wtmp.
I.e. the type 6 (LOGIN_PROCESS) entry in /etc/utmp remains!
When entering an incorrect password:
AIX Version 7
Copyright IBM Corporation, 1982, 2020.
Console login: user1
invalid's Password: XXXXXXXX
You entered an invalid login name or password.
login:
only an entry in /etc/security/failedlogin is logged:
# /usr/sbin/acct/fwtmp -X </etc/security/failedlogin
…
user1 vty0 7 12124358 0000 0000 1642069990 Thu Jan 13 11:33:10 2022
#
For successful logins, a type 7 (USER_PROCESS) is logged in /etc/utmp and /var/adm/wtmp. For unsuccessful logins, a type 7 entry is logged only in /etc/security/failedlogin.