Scenario:
- Log into a linux server interface as root.
- Inititiate an SSH session with the server using Putty and a valid user account (e.g. fakeuser).
- Log into TTY2 of the linux server interface using another valid user account (e.g. faketester).
Issue:
With these three login sessions, the linux server reports that there are five (5) users logged into the server and lists the users as:
faketester
fakeuser
fakeuser
faketester
root
The TTY2 and SSH sessions are counted twice.
I am testing this on a RHEL6.5
How are you listing users? Check the 'tty' using 'ps -ef' to see how many processes are on each session.
who
shows logged in users. ps and other tools show processes (can be many for one user), not logins. su - username
is not counted as a login by who.
I did try the who command and this was the result .Notice the time stamp .
faketester tty2 Jan 27 13:17
fakeuser pts/2 Jan 27 13:21 (XX.X.XXX.XXX)
fakeuser pts/3 Jan 27 13:21
faketester pts/0 Jan 27 13:17 (:tty2:S.0)
root pts/1 Jan 27 13:15 (:tty1:S.0)
who
reads the /var/log/utmp (and others) file for login information.
So, I cannot assume anything but that those are valid login records.
The only way to test that is to manually kill off the fake* family of process, run who to be sure you got them all, log on ONCE using faketester, verify with who
. If this pans out, then you need to consider who
output authoritative. It always is unless some process tinks with files in /var/log.
Go from that point with your experimenting.
Thank you for your response !
So I killed all the processes run by any user other than root .
I closed all sessions except one with root logged in and I started another session with user "faketester"
output of the who
command
root tty1 Jan 23 14:46
root pts/1 Jan 28 14:35 (XX.X.XX.XXX)
root pts/2 Jan 28 14:35
faketester pts/3 Jan 28 14:52 (XX.X.XX.XXX)
faketester pts/4 Jan 28 14:52
output of ps -ef | grep fake*
4 S root 10314 2034 0 80 0 - 23564 unix_s 14:52 ? 00:00:00 sshd: faketester [priv]
5 S 2002 10320 10314 0 80 0 - 23564 poll_s 14:52 ? 00:00:00 sshd: faketester@pts/3
0 S 2002 10321 10320 0 80 0 - 2571 n_tty_ 14:52 pts/3 00:00:00 /usr/bin/script -q -a /var/log/logins/20152801145227_faketester_scr ipt_10321
1 S 2002 10347 10321 0 80 0 - 2572 n_tty_ 14:52 pts/3 00:00:00 /usr/bin/script -q -a /var/log/logins/20152801145227_faketester_scr ipt_10321
0 R root 10366 10036 0 80 0 - 1595 - 14:54 pts/2 00:00:00 grep fake*
Why do the processes that are in bold happen twice ? do you think that might be the issue ?
I have "root" logged in on the console and when I bash login as "faketester" it appears twice when i run the "who" command
#who
faketester pts/0 Feb 5 15:17 (XX.X.XX.XXX)
faketester pts/1 Feb 5 15:17
root pts/2 Feb 5 15:17 (:tty1:S.0)
ps -ef | grep fake*
root 2001 1790 0 15:17 ? 00:00:00 sshd: faketester [priv]
2002 2007 2001 0 15:17 ? 00:00:00 sshd: faketester@pts/0
2002 2008 2007 0 15:17 pts/0 00:00:00 /usr/bin/script -q -a /var/log/logins/20150502151754_faketester_script_2008
2002 2034 2008 0 15:17 pts/0 00:00:00 /usr/bin/script -q -a /var/log/logins/20150502151754_faketester_script_2008
2002 2080 2035 0 15:25 pts/1 00:00:00 grep fake*
I have narrowed it down to
/etc/profile
being called twice for an ssh interactive login. I am trying to figure out what calls /etc/profile and how do I stop it from being called twice so an additional user isn't created.
Thanks in advance !
Just an update - I am logged in as root and faketester
I ran the following command :
netstat -tnpa | grep ESTABLISHED.*sshd
and it showed just 2 ssh connections and not 4 which is correct
also following command
w
shows 2 users logged in as well.
So i m guessing the
who
is showing all active sessions .
This was a non issue ! Thank you for your help everyone .