Mailinglist Archive: opensuse (3531 mails)

< Previous Next >
Re: [opensuse] errant 'who' behavior
  • From: Randall R Schulz <rschulz@xxxxxxxxx>
  • Date: Wed, 3 Jan 2007 07:55:44 -0800
  • Message-id: <200701030755.44836.rschulz@xxxxxxxxx>
On Wednesday 03 January 2007 07:27, Carl Hartung wrote:
> Hi All,
>
> This is actually a two part question. a) Is there a 100%
> proof-positive way to determine if someone has previously broken into
> a system via ssh... before remote root logins were disabled and a
> weak password replaced... and b) how do I correct the apparent
> inability of 'who', given any parameters, to return something more
> informative than just a prompt?
>
> ...
>
> All ideas/hints gratefully appreciated and a happy new year to all of
> you!

My previous answer was for part (a). For part (b) I'd check
on /var/run/utmp. That file records current logins. Perhaps the file is
missing or damaged. If it's missing, it should get recreated by a
reboot. If it's corrupted, perhaps it should be removed and then you
should reboot.

Actually, a bit of quick Googling suggests that the proper way to
correct a corrupted utmp is to copy /dev/null onto it (or otherwise
effect its truncation) and not to reboot but merely to log out and in
again.


> regards,
>
> Carl


Randall Schulz
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References