0

I am trying to compare the output of the btmp file and who -a commands.

I don't know why, but btmp file currently is not showing the username but its showing UNKNOWN in the username field. I am (username:debian) logged in that session.

Please observe the output below:

virt00# who -a
           system boot  2016-03-06 19:36
           run-level 5  2016-03-06 19:36
debian   - tty1         2016-03-06 19:36 00:33        1006
debian   + pts/0        2016-03-06 19:43   .          1037 (192.168.56.1)

virt00# last -f /var/log/btmp | grep still
UNKNOWN  tty1                          Sat Feb 20 16:24   still logged in
virt00#

Could you please explain why is there adifference between these two and why I have logged in via SSH and there is one more session running at VM?

Thank you.

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
Raja G
  • 5,749
  • 12
  • 44
  • 67

2 Answers2

1

The file /var/log/btmp keeps track of failed login attempts. If everyone is logged in without problems, there is nothing to show.

In testing the feature, I am only able to see "UNKNOWN" logged (on Debian 7) using telnet (not ssh) and if I give an unknown username at the prompt, causing a failure. That is similar to the scenario shown in an Ubuntu thread sshd doesn't add to /var/log/btmp. Connecting with ssh never generates a failure on this machine.

A quick read of the source code does not show anyplace that last would supply the UNKNOWN by itself. That is probably from the application that created the record in /var/log/btmp.

In your configuration, it would seem that the login process was not able to get the actual user name and logged that as a problem in /var/log/btmp. Like utmp, it is possible to have stale entries in btmp which are not deleted (the program which creates the entries is supposed to remove them — this is not done automatically). Your example shows an entry a month old (February 20), and (since you are logged in as a known user on the same tty) is not related to your current login — and is from before the time the machine was most recently booted (March 3).

Further reading:

Thomas Dickey
  • 75,040
  • 9
  • 171
  • 268
  • I understand but Mr Thomas If I am successfully login then why I have entry there ? – Raja G Mar 21 '16 at 09:45
  • The file format is the same as `utmp` and `wtmp` which do have values for those fields. The time it happened as meaning in the context of `btmp` but it's not an event that spans a time range and so that field is probably left blank which is interpreted by `last` as meaning they're still logged in. – Bratchley Mar 22 '16 at 00:09
1

Thats because who -a never reads /var/log/btmp, who reads /var/run/utmp and shows currently logged in user(s).

On the other hand, /var/log/btmp stores the failed login attempts.

I have reproduced the situation, i did:

  • Went to tty5 (could be any tty)

  • Entered a user that do not exist on the system

  • Given a random password

  • The login prompt is back showing wrong password

  • But there is an entry in /var/log/btmp as 

    UNKNOWN  tty5  Mon Mar 21 16:16   still logged in

    After a while this has become:

    UNKNOWN  tty5  Mon Mar 21 16:16    gone - no logout
heemayl
  • 54,820
  • 8
  • 124
  • 141