I have discovered that sshd does not write a ut_type = 8 (DEAD_PROCESS) record into /var/adm/wtmpx, but it does write such a record into /var/adm/utmpx. The net effect of this is that it looks like ssh users never log out when you run "last" or other codes that analyze wtmpx. I wrote a small C program to read and write out every record in /var/adm/wtmpx. Then I logged into and out of my test machine with telnet, rlogin, and ssh. Then I ran my C program to look at the results. Here they are: user:line:pid:type:exit/term:host:time joeblow:pts/3:8477:7:0/0:0:cayuga:Wed Feb 20 10:08:43 2002 joeblow:pts/3:8477:8:0/0:0:cayuga:Wed Feb 20 10:08:57 2002 joeblow:pts/3:8509:7:0/0:0:cayuga:Wed Feb 20 10:09:16 2002 joeblow:pts/3:8509:8:0/0:0:cayuga:Wed Feb 20 10:09:55 2002 joeblow:pts/3:8546:7:0/0:0:cayuga:Wed Feb 20 10:10:08 2002 The first two records are for telnet, the second two for rlogin, the last for ssh. No type=8 record for ssh. I can send you the C code that reads /var/adm/wtmpx if you need it.
I spent some time looking into this. Initially I did see that last was reporting users still logged in that had logged out of their ssh connection. I noticed logintest showed everything working as expected. Now I can not duplicate the problem. I didn't change any code but I did zero out wtmpx during my tests. Now I can etheir log in using rlogin or ssh and last shows the correct information after logout.
Now that I look at bug 84 I see that "last username" shows the wrong info. I'm marking this a duplicate of 84 *** This bug has been marked as a duplicate of 84 ***
Mass change of RESOLVED bugs to CLOSED