LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Why /var/log/wtmp file having 2 entries for ssh session. (https://www.linuxquestions.org/questions/linux-newbie-8/why-var-log-wtmp-file-having-2-entries-for-ssh-session-4175619808/)

sgowthu 12-18-2017 02:57 AM
Why /var/log/wtmp file having 2 entries for ssh session.
 
When i do ssh /var/log/wtmp file having 2 enties,why it is happening.

root@firepower-1010:~# last
root ttyS0 Mon Dec 18 01:57 still logged in
root pts/0 64.103.219.215 Mon Dec 18 01:56 still logged in
root ssh 64.103.219.215 Mon Dec 18 01:56 still logged in
root pts/0 64.103.219.215 Mon Dec 18 01:55 - 01:55 (00:00)
root ssh 64.103.219.215 Mon Dec 18 01:55 - 01:55 (00:00)
root ttyS0 Mon Dec 18 01:54 - 01:57 (00:02)
root ttyS0 Mon Dec 18 01:54 - 01:54 (00:00)
root ttyS0 Mon Dec 18 01:54 - 01:54 (00:00)

MensaWater 12-18-2017 07:57 AM
What distribution of Linux is this and what version of that distribution are you running?

The one line is showing which terminal (or pseudo-terminal) you came in on which is pts/0. The next line appears to be showing how you came in which is ssh.

Interestingly I don't see that in RHEL5 through RHEL7 but do see it in CoreOS. This makes me think it was a change made in the 4.x kernel or associated programs.

sgowthu 12-18-2017 08:07 AM
Wind River Linux 8.0.0.22

MensaWater 12-18-2017 11:57 AM
This page confirms Wind River Linux 8.x uses a 4.x kernel.
https://knowledge.windriver.com/en-u...2C_8.0/000/020

You can verify kernel version by typing "uname -r".

The fact you see it and I see it on CoreOS which also has 4.x kernel makes me think it is something that changed after 3.x which RHEL7 runs. I couldn't find any information on why it changed.

On doing a test just now a login via the remote console port shows I came in on tty1 (terminal) and does NOT show a second line for that session. It appears to me the second line when I went in via PuTTY was to show how I got to the system (ssh) and the first line was for the pseudo-terminal I was using for that session (pts/0).

It may be they added method so when you examine it you'll know whether users is on a real terminal (tty) or pseudo-terminal (pty often shown as pts/#). Any login to the same terminal will always get the same tty whereas each login to a pseudo-terminal gets it in the order of logged in users. i.e. First person logging in gets pts/0, second person pts/1, third person pts/3 etc... but next time around if second person logs in before original first person then he'd get pts/0.

sgowthu 12-19-2017 12:08 AM
Yes there is some code changes happend in WRL8,only one entry seen on WRL6.


All times are GMT -5. The time now is 05:58 PM.