I'm an administrator of a small Debian Lenny server, and I have this problem: Sometimes, when a user's SSH session is closed, the entry is not removed from /var/run/utmp, resulting in such messages from finger:
grawity@sine ~$ finger finger: /dev//pts/31: No such file or directory Login Name Tty Idle Login Time Office Office Phone user1 (user) pts/1 1d Jul 15 19:12 (foo.uk) user2 (another user) pts/33 6:25 Jul 13 12:02 (bar:S.1) user2 (another user) *pts/34 6:31 Jul 13 17:00 (bar:S.0) grawity (me) pts/25 Jul 17 11:57 (78-56-197-6:S.0) grawity (me) pts/27 Jul 17 11:57 (78-56-197-6.static.zebra.lt) Segmentation fault grawity@sine ~$ _
…and sometimes even a segfault or two. Once utmp even had two entries pointing to the same tty (but belonging to different users).
Any ideas why this happens?
So far, I manage to fix utmp (using some utility designed for erasing Unix logs :> ), but that is obviously not a solution, not when it happens every day.
Edit: This question is not about records disappearing (so far I haven't seen that) – it's about the opposite: records not being removed when a login session is closed.
Best Answer
finger segfaulting is really not a good sign. I'd at least make cursory checks for break in; at least run chkrootkit and debsums for example. Second, have you tried clearing out utmp entirely by rm or echo -n > utmp? It may be corrupted in some subtle manner.
Lastly, have you done anything with your PAM setup in /etc/pam.d? That could easily cause logouts not to be recorded.