Login records in wtmp for ssh as tty

Ondrej.Rajmon at cuzk.cz Ondrej.Rajmon at cuzk.cz
Mon Jun 20 22:54:38 EST 2011


Hello,

after update my sshd to openssh-5.8_p2 (Linux Gentoo) I stated, that all ssh login (that open terminal session) causes writing of 2 records to a wtmp log. For example:

user1   pts/4        gw.testdom.net       Mon Jun 20 13:33   still logged in
user1   ssh          gw.testdom.net       Mon Jun 20 13:33 - 13:38  (00:05)

The first one is a standard record which appears only if a terminal session is opened.
The second one is new (at least for me). It appears always, regardless of the type of ssh session (with or without terminal). I would highly appreciate such feature because I want to see all logged in user even if they are just forwarding ports to another target, so they do not open a terminal session. But what I don't understand is behavior of that second record. It gets closed in a few minutes, spontaneously. The few minutes is usually something between 1 and 30 but can be more than 60, too. So this second record give a knowledge about established sessions, but doesn't reflect their real duration.
My questions are:
1) Is such behavior correct?
2) Why the second record is closed automatically regardless of the real session duration?
3) What the timeout for the record closing depends on? Can I influence that?

Ondrej


More information about the openssh-unix-dev mailing list