LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   What are these system logins from who command? (https://www.linuxquestions.org/questions/linux-general-1/what-are-these-system-logins-from-who-command-4175573241/)

jdelaporte 02-25-2016 03:24 PM
What are these system logins from who command?
 
I've been using Linux for a a few years, but I'm still a little green around the edges. I recently noticed the following in my lab hosts at school, and I am trying to figure out what the system logins mean. The man page gives no info about the Comment section. The man page implies these are incoming or local logins. The hosts are all running Slackware 14.1.

Are these incoming login connections, outgoing connections, or something else? I do not expect to see these login sessions on my lab machines, and every machine I have looked at has them (always a subset of c1-c6), so I am mildly concerned. We have some cisco routers that are named c1 through c5, but there is no c6 router.

Code:
$ who -l
NAME      LINE        TIME            IDLE          PID COMMENT
userme + tty1        2016-02-25 11:05 02:52        867
LOGIN      tty2        2016-02-25 11:04              868 id=c2
LOGIN      tty3        2016-02-25 11:04              869 id=c3
LOGIN      tty4        2016-02-25 11:04              870 id=c4
LOGIN      tty5        2016-02-25 11:04              871 id=c5
LOGIN      tty6        2016-02-25 11:04              872 id=c6
Looking at the processes, I see the following:
Code:
$ ps -ef | grep 869
root      869    1  0 11:04 tty3    00:00:00 /sbin/agetty 38400 tty3 linux

$ pstree
init-+-acpid
    |-5*[agetty]
    |-atd
So, root is spawning ttys for these logins. But, what are they? Where can I determine why these are created, and for what purpose? Where does the id value come from? Are these possibly related to the routers, or is this some internal service login, and how would I verify that?

I can't find anything in the messages, system, or secure logs about these logins. They appear to be created about two minutes after reboot. I just rebooted and ssh'd back into this machine, and here they are again, with new times, and one new one:

Code:
$ who
LOGIN      tty1        2016-02-25 14:59              876 id=c1
LOGIN      tty2        2016-02-25 14:59              877 id=c2
LOGIN      tty3        2016-02-25 14:59              878 id=c3
LOGIN      tty4        2016-02-25 14:59              879 id=c4
LOGIN      tty5        2016-02-25 14:59              880 id=c5
LOGIN      tty6        2016-02-25 14:59              881 id=c6
userme + pts/0        2016-02-25 15:01  .          885 (myip)

I don't have /etc/anacrontab or /etc/crontab. Root's crontab doesn't have any jobs that run at reboot.
I recursively grep'd for c1 through c6 and agetty in my /etc/rc.d directory (which is the init directory on Slackware), and found only random other stuff like modules and keys that had the strings c1-c6 in them.

If you can point me toward identifying these, I'll owe you a drink.

-Joanna-

smallpond 02-25-2016 04:41 PM
ttyx are virtual consoles. agetty is the program running as root to wait for someone to login on each of those consoles. It sets the username shown by who to LOGIN.

michaelk 02-25-2016 05:02 PM
The term tty (teletypewriter) dates back to the beginning of multiuser computers. They connected to the mainframe using RS-232 (serial). Teletypewriters were mechanical devices which lead to the development of electronic terminals. The DEC VT100 was a popular model.

Most distributions create 6 virtual terminals tty1-tty6. You can switch between them by pressing the keys alt-f1 thru alt-f6 and you should see a login in prompt for each. These are local login processes. tty1 is the default and this is what you would see when linux boots without a GUI.

pts is a pseudo terminal and is created when you log in via ssh.

jdelaporte 03-03-2016 08:48 AM
Thanks smallpond and michaelk! Those were my virtual terminals, which I proved by logging in on tty3 and running the who command, where the tty held by id=c3 was replaced by my login.

Thanks!


All times are GMT -5. The time now is 06:48 PM.