[ On Thursday, May 20, 1999 at 18:31:34 (+0000), Andy Doran wrote: ]
> Subject: Re: interface to utmp file.
>
> Out of interest, does the spec define failed logins as loggable in some
> way?

Nope.  As I recall most compliant or nearly compliant systems simply log
failed logins (attempted via login(8)) to /var/adm/loginlog if it exists.  ;-)

In theory though an entry with type LOGIN_PROCESS followed by an entry
for the same "ut_line" with type DEAD_PROCESS, and no intervening entry
for the same "ut_line" with type USER_PROCESS, would indicate that a
failed login had been attempted on the given "ut_line".  At least I
think that's the way the process goes... the spec. is rather vague on
this.

On SunOS-5 I find that LOGIN_PROCESS entries are not written by anything
but init(8) [or is it getty(8)?], so you can't detect failed logins
attempted via telnet, for example.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>