Mailinglist Archive: opensuse (3531 mails)

< Previous Next >
[opensuse] errant 'who' behavior
  • From: Carl Hartung <suselinux@xxxxxxxxxxxxx>
  • Date: Wed, 3 Jan 2007 10:27:02 -0500
  • Message-id: <200701031027.02747.suselinux@xxxxxxxxxxxxx>
Hi All,

This is actually a two part question. a) Is there a 100% proof-positive way to
determine if someone has previously broken into a system via ssh... before
remote root logins were disabled and a weak password replaced... and b) how
do I correct the apparent inability of 'who', given any parameters, to return
something more informative than just a prompt?

Copied & pasted examples:
(note: root has logged into console tty1 after the user has logged into his
desktop on tty7, then root has logged in again via shell on the user's
desktop.)

as user:

> carl@linux:~> who
> carl@linux:~>

> carl@linux:~> who -a
> carl@linux:~>

> carl@linux:~> who -m
> carl@linux:~>

> carl@linux:~> who -u
> carl@linux:~>

as root:

> linux:~ # who
> linux:~ #

> linux:~ # who -a
> linux:~ #

> linux:~ # who -m
> linux:~ #

> linux:~ # who -u
> linux:~ #

Additional info:

> linux:~ # which who
> /usr/bin/who

> linux:~ # l /usr/bin/who
> -rwxr-xr-x 1 root root 25204 2006-01-31 11:28 /usr/bin/who*

> linux:~ # file /usr/bin/who
> /usr/bin/who: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for
> GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped

All ideas/hints gratefully appreciated and a happy new year to all of you!

regards,

Carl
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >