Under Construction

utmp Entries from getty(1)

For logging in via serial ports and the system console, there are entries in /etc/inittab that start a getty(1) process. Here is the entry for the console as an example:

# lsitab cons
cons:0123456789:respawn:/usr/sbin/getty /dev/console
#

As for all other entries, init(1) creates an entry with type 5 (INIT_PROCESS):

# /usr/sbin/acct/fwtmp </etc/utmp | grep cons
cons     cons           vty0          5 12124356 0000 0000 1642068253                                  Thu Jan 13 11:04:13 2022
#

Once the getty process has started, it changes the entry in /etc/utmp to an entry of type 6 (LOGIN_PROCESS):

# /usr/sbin/acct/fwtmp </etc/utmp | grep cons
         cons           vty0          6 12124356 0000 0000 1642068374                                  Thu Jan 13 11:06:14 2022
#

Note: This usually happens so quickly that you don’t see the type 5 entry in /etc/utmp because it is overwritten immediately.

Note: The type 6 entry is not added to /var/adm/wtmp.

The field ut_user (user name) remains empty, the ID of the inittab entry (here cons) is entered in ut_id and the device name of the interface (here vty0) is entered in ut_line.

For these entries there is also an option of who(1):

$ who -lH
Name         Line          Time     Activity       PID Hostname
LOGIN       vty0        Jan 13 11:06     0:05  12124356                 
$

If a valid username and password are entered, getty(1) generates an entry of type 7 (USER_PROCESS).

# /usr/sbin/acct/fwtmp </etc/utmp | grep cons
ize0h29  cons           vty0          7 12124356 0000 0000 1642068542                                  Thu Jan 13 11:09:02 2022
#

This entry overrides the type 6 entry made in /etc/utmp by getty(1) above when getty was started. In contrast to the type 6 entry, which is only recorded in /etc/utmp, the type 7 (USER_PROCESS) entry is also recorded in /var/adm/wtmp. This allows user logins to be tracked via the history in /var/adm/wtmp.

For type 7 entries, the username of the user who logs in is entered in the field ut_user, the ID as usual in ut_id and the interface on which the login takes place in ut_line.

who” can be used to display the type 7 entries or, for a little more information, “who –u” can be used instead:

$ who -uH
Name         Line          Time     Activity       PID Hostname
user1      vty0        Jan 13 11:09      .    12124356                
...
$

When the user logs out, the shell exits, killing the process started by init(1) (here with PID 12124356). Accordingly, a type 8 (DEAD_PROCESS) entry is logged in /etc/utmp and /var/adm/wtmp by init(1). The entry with type 7 (USER_PROCESS) is overwritten in /etc/utmp:

# /usr/sbin/acct/fwtmp </etc/utmp | grep cons
         cons           vty0          8 12124356 0000 0000 1642068614                                  Thu Jan 13 11:10:14 2022
#

Note: The entry in /etc/utmp is normally not visible because it is immediately overwritten by an entry of type 5 (INIT_PROCESS) after the respawn action. The init(1) process starts a new process immediately, if the old process started with respawn dies. Of course, the new process has a different PID.

The process described above is then repeated.

Finally, we examine the case of failed login attempts.

First, let’s use a bogus username ‘invalid‘:

AIX Version 7
Copyright IBM Corporation, 1982, 2020.
Console login: invalid
invalid's Password: XXXXXXXX
You entered an invalid login name or password.

login:

In this case, getty(1) generates a type 7 (USER_PROCESS) entry in /etc/security/failedlogin:

# /usr/sbin/acct/fwtmp -X </etc/security/failedlogin

UNKNOWN_USER                vty0          7 12124358 0000 0000 1642069146                                  Thu Jan 13 11:19:06 2022
#

The character string “UNKNOWN_USER” is used as the user name (ut_user), and the interface is also recorded in ut_line. The hint that this is an entry started by init(1) is missing (ut_id is empty).

Note: No entries are made in /etc/utmp and /var/adm/wtmp.

I.e. the type 6 (LOGIN_PROCESS) entry in /etc/utmp remains!

When entering an incorrect password:

AIX Version 7
Copyright IBM Corporation, 1982, 2020.
Console login: user1
invalid's Password: XXXXXXXX
You entered an invalid login name or password.

login:

only an entry in /etc/security/failedlogin is logged:

# /usr/sbin/acct/fwtmp -X </etc/security/failedlogin

user1                 vty0          7 12124358 0000 0000 1642069990                                  Thu Jan 13 11:33:10 2022
#

For successful logins, a type 7 (USER_PROCESS) is logged in /etc/utmp and /var/adm/wtmp. For unsuccessful logins, a type 7 entry is logged only in /etc/security/failedlogin.