Hi,
simple question here:
Will stock Slowroll as of 28/11/2025 log the username of an incorrect TTY login attempt?
If so, were is it logged?
e.g.:
Correct username “willie”
Login attempt “wilie”
Can I find the string “wilie” somewhere in the system logs?
lslogins --failed
At least, as long as various login programs still write to /var/log/btmp.
It should be logged in the systemd journal. For example…
sudo journalctl -t login | grep -i failed
Thank you for your reply.
lslogins --failed doesn’t show the expected invalid username, it seems to only show valid users on the system with UID.
The file btmp does not exist in /var/log/. I’ve read in some very old posts from 2006 in forums for other distros that this needs to be created manually in order to be used.
Could it be stored somewhere else?
Thank you for your reply!
sudo journalctl -t login | grep -i failed does indeed show the failed attempt on tty, but it masks the username as “unknown”:
FOR (unknown), User not known to the underlying authentication module
Is there any way to restore the used username?
When a user types a username that doesn’t exist, PAM (/etc/pam.d/login) can’t map it to a valid UID.
You could create a custom script to get that recorded though.
Ok I see, thank you!
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.