Under Construction

Working with AIX > Advanced Administration > Login Records (utmp, wtmp, failedlogin) > Programs which generate utmp entries

utmp Entries from sshd(8)

Most utmp entries on current AIX systems should come from sshd(8). It creates login records when users log in and out.

Starting the sshd service does not yet generate any utmp entries.

Only a login attempt by a user generates utmp entries:

$ ssh aix01
user1's Password:
Last unsuccessful login: Thu Jan 13 13:34:52 2022 on ssh from aixnim
Last login: Thu Jan 13 13:35:07 2022 on ssh from aixnim
...
$ tty
/dev/pts/0
$

The interface (virtual terminal) is pts/0 in this case. A type 7 (USER_PROCESS) entry was generated in /etc/utmp and /var/adm/wtmp:

# /usr/sbin/acct/fwtmp </etc/utmp | grep pts/0
user1    pts/0          pts/0         7 5832840 0015 126337 1642078038 aixnim                   Thu Jan 13 13:47:18 2022
#

The pseudo terminal used (here pts/0) is entered in the ut_id field, in which the ID of the inittab entry is normally entered.

If the user logs out again:

$ exit
logout
Connection to aix01 closed.
$

then sshd(8) creates a type 8 (DEAD_PROCESS) entry in /etc/utmp and /var/adm/wtmp:

# /usr/sbin/acct/fwtmp </etc/utmp | grep pts/0
user1    pts/0          pts/0         8 5832840 0001 13162 1642078818                                  Thu Jan 13 14:00:18 2022
#

As with getty(1) (and init(1)), existing entries for an interface in /etc/utmp are reused and overwritten. So there is not a type 7 (USER_PROCESS) and a type 8 (DEAD_PROCESS) entry in /etc/utmp at the same time.

A failed login attempt, with an invalid username, results in a type 7 (USER_PROCESS) entry in /etc/security/failedlogin. UNKNOWN_USER is stored as the user name (ut_user) and the character string “ssh” in ut_line instead of an interface:

# /usr/sbin/acct/fwtmp -X </etc/security/failedlogin

UNKNOWN_USER                ssh           7 8913024 0000 0000 1642080048 aixnim                   Thu Jan 13 14:20:48 2022
#

A login attempt with a valid username but an invalid password also results in an entry in /etc/security/failedlogin.

$ ssh aix01
user1's Password: XXX
user1's Password: XXX
user1's Password: XXX
user1@aix01's password: XXX
Permission denied, please try again.
user1@aix01's password: XXX
Received disconnect from 10.1.2.3 port 22:2: Too many authentication failures
Authentication failed.
$

Since the username is valid, it is stored in the ut_user field:

# /usr/sbin/acct/fwtmp -X </etc/security/failedlogin

user1                   ssh           7 24051880 0000 0000 1642080496 aixnim                   Thu Jan 13 14:28:16 2022
user1                   ssh           7 24051880 0000 0000 1642080497 aixnim                   Thu Jan 13 14:28:17 2022
user1                   ssh           7 24051880 0000 0000 1642080498 aixnim                   Thu Jan 13 14:28:18 2022
user1                   ssh           7 24051880 0000 0000 1642080500 aixnim                   Thu Jan 13 14:28:20 2022
user1                   ssh           7 24051880 0000 0000 1642080502 aixnim                   Thu Jan 13 14:28:22 2022
#

Because the wrong password was entered five times when logging in, 5 failed attempts are recorded in /etc/security/failedlogin!

Failed attempts are not logged in /etc/utmp or /var/adm/wtmp.