Subject: Re: interface to utmp file.
To: NetBSD Userlevel Technical Discussion List <tech-userlevel@NetBSD.ORG>
From: Greg A. Woods <>
List: tech-userlevel
Date: 05/20/1999 16:45:02
[ On Thursday, May 20, 1999 at 18:31:34 (+0000), Andy Doran wrote: ]
> Subject: Re: interface to utmp file.
> Out of interest, does the spec define failed logins as loggable in some
> way?

Nope.  As I recall most compliant or nearly compliant systems simply log
failed logins (attempted via login(8)) to /var/adm/loginlog if it exists.  ;-)

In theory though an entry with type LOGIN_PROCESS followed by an entry
for the same "ut_line" with type DEAD_PROCESS, and no intervening entry
for the same "ut_line" with type USER_PROCESS, would indicate that a
failed login had been attempted on the given "ut_line".  At least I
think that's the way the process goes... the spec. is rather vague on

On SunOS-5 I find that LOGIN_PROCESS entries are not written by anything
but init(8) [or is it getty(8)?], so you can't detect failed logins
attempted via telnet, for example.

							Greg A. Woods

+1 416 218-0098      VE3TCP      <>      <robohack!woods>
Planix, Inc. <>; Secrets of the Weird <>