Something is happening that is causing bogus apparent logins. When a person logs in and out, you can see with the "w" command the status of his logging in. And after he has logged out, you can no longer see his name. However, the first line indicating the number of login users does not report an accurate count. At present, if I can count the user ID output with "w" I see 6. However, the first line is reporting 17 users.

Some accounts can login and log out and the number will increase and decrease. Some accounts will login in, and number will increase, but when they log out, the user name will not decrease.

Can someone advise me of where to look for a possible culprit in this matter.

I don't know if this affects or is one of the causes of the problem, but I recently manually added a number of accounts from one of the retired servers in the network.

The procedure I did was to have a routine to make a password record, add the information for the fields which included the login ID, an "x" indicating shadowed pass, an incremented user ID, group ID, Comment, home directory and shell. I did the same thing to append an appropriate shadow record. My routine created the users home directory and set the owner to the user.

There wasn't a glitch as everyone was able to continue using the new system just as they did the old system.

I described a recent change, but don't think this is the culprit because this isn't the first machine that this routine has worked on. I don't know if the problem with the "w" out came before this change over or after the changeover.

On a slightly related issue, can someone advise me if there is a flaw in my changeover method. Should I have included something else (whether it's the culprit of my problem or not). Is there some type of authentication application that can be run on the passwd file to verify the all the accounts and integrity of the system.

Thanks in advance for any suggestions or comments.


-- L. James

Larry,
Try typing who and see what the output is. Does it come up with the first number or the second? You may want to get a copy of w from a known good CD and try that one as it is possible that w has been tampered with.

Thanks. I already did a cmp on the current w and a backup of w. I just tested runing the backup w and got the same thing. The backup is from a tar of the original install. I did this originally to study the difference between a default install and the changes that I knew I'd be making.

By the way, I failed to include that I had removed the /var/log/wtmp and rebooted the computer in case there was a problem with it trying to update a corrupted wtmp file.

Maybe I'll should consider reinstalling the package the w was a part of..

I appreciate your anticipation of an intruder. I'll be doing a totally new install soon. I believe the effort in trying to immediately fix this glitch might become educational and help me to identify other problems that may exist but may not have shown up yet.

-- L. James

Okay. I found out more information about this problem. This only happens with users who log in and use ppp. The pppd is not updating the utmp file. This is causing zombie users who are appearing in finger and who, but who doesn't not appear in w and last. Maybe there is some type of pppd option to force update of the utmp when the user disconnects.

The command line that starts the PPP session is:

/usr/sbin/pppd -detach crtscts lock 10.1.2.1:10.1.2.3

I'm running pppd version 2.4.0b4.

Thanks again for anyone who has any comments or suggestoins.

-- L. James