This article is from a FAQ concerning SCO operating systems. While some of the information may be applicable to any OS, or any Unix or Linux OS, it may be specific to SCO Xenix, Open There is lots of Linux, Mac OS X and general Unix info elsewhere on this site: Search this site is the best way to find anything.

Various issues relating to login on older SCO Unix systems

What causes "No utmp entry, must login from lowest level shell" on SCO Unix?

Probably corruption in one of the log files /etc/utmp, /etc/wtmp, /etc/utmpx, or /etc/wtmpx. You can zero them out by:

> /etc/utmp
> /etc/utmpx
> /etc/wtmp
> /etc/wtmpx

and then rebooting.

Robert Bailin says that he's seen the corruption caused by /etc/cleanup being run by cron; see I need information from "last", but most of it is gone!

An anonymous visitor here pointed out:

There is a way to fix it remotely.
Make some space on hardrive using ftp connection.
Create empty files and overwrite those 4 files
with it.You should be able to connect via login now. :)

baduser message

You might sometimes see a process owned by root with a command entry of '/bin/login baduser' in ps.

That means that someone tried to login, failed and has tried again.

This was for security reasons. Apparently the password could appear in the ps listing if login failed. Using "baduser" on subsequent attempts eliminated that problem.

You really have to wonder about the wisdom of "fixing" a security leak by masking it.

Given that "login" is a fairly basic program, and subject to constant subversion attempts anyway, why not fix that instead? While they were in there, they might have checked it for other potential hacks.. but security obviously was a neglected step-child.

Command line unlock ttys and users- user login unlock

(This primarily references SCO Unix though part of it applies to any Unix/Linux OS).

SCO Unix can lock ttys administratively or for failed logins. This prevents any further logins on that tty. An administrator might do that to lock out a particular modem line, or to lock out a specific terminal at certain times of day.

Tty's can also be locked for too many unsuccessful logins. Typically this is set for a high number: it might require 99 failed logins before the lock is applied (the number of failed or unsuccesful logins can be set using Scoadmin). The purpose of this is security: failed logins might indicate a brute force password guessing attack. More often, it simply means a stuck keyboard, either because it is defective or because someone accidentally left a book on the keyboard.

Once locked, no one can login on that tty until the administrator removes the lock. The root user can login at the console even if it is locked if /etc/default/login contains (for example) "OVERRIDE=tty01". The unlocking can be done with "scoadmin" (scoadmin->System->Terminal Manager) , but it can also be done from the command line using ttyunlock (http://aplawrence.com/Detective/ttylocked.html)

A specific user can also be locked out - that applies to any tty and is a different message. Unlock with "passwd -u username". If that doesn't work, try

usermod -x "{administrativeLockApplied 0}" -x "{unsuccessfulLoginAttempts
0}" username

It's easy to see if tty's or users are locked by looking for the strings "u_lock" in the sub-files of /tcb/files/auth and the string "t_lock" in /etc/auth/system/ttys.

Other ways to restrict or prevent logins: (these apply to any Unix/Linux OS. not just SCO)
How do I restrict logins?.
How can I prevent root logins over telnet?
How can I restrict who can login with ssh?

dialup passwords dial-up passwd

Although originally intended for dialups, you can do this with terminal lines also by listing the ttyp devices in /etc/dialups.

I've no idea how robust this actually is, but it at least appears to add extra security. I've seen people implement this when internal passwords were weak, which is probably not the right idea.

Linux has this too, see Shadow Password HOW-TO in the "Dial-up passwords" section.

Note that the SCO and Linux configurations are similar but not precisely the same. Read the passwd man page!

Slightly easier (though less locked down) is to have a given account (not a line, but a login account) that simply does "telnet -E localhost". You modify the login you expect them to use there to terminate if "who -x -m" says they are not _from_ "localhost" (to prevent them from knowing the first login).

login remains in ps after user logs in

That's the way it worked prior to v5.0.6. The parent login forked, the child login exec'd the user's shell. Nothing "wrong", per se, though see OpenServer: /bin/login and /etc/getty argument buffer overflow which described applying fixed login binaries.

By the way, that also caused confusion as "ps -eaf | grep USERNAME" and who -u | grep USERNAME" showed different pid's ('who -u' saw the parent login process).

Gawk script to track failed logins (SCO Unix)

This script gives you a lot of information about logins:


To run it you will need: ftp://ftp.armory.com/pub/scobins/gawk.


$ lastlogin -Ha -rlBk
User      Last Login      #Unsuc L
root      Wed Dec 18 01:45     1 -
jimk   Mon Jan 13 03:49     - -

There are many options: ftp://ftp.armory.com/pub/scripts/help_pages/lastlogin.

Got something to add? Send me email.

(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> (SCO Unix) What causes 'No utmp entry, must login from lowest levelshell?


Increase ad revenue 50-250% with Ezoic

---October 11, 2004

---October 21, 2004

These files became corrupted on me when root became full.

---November 25, 2004

There is a way to fix it remotly.
Make some space on hardrive using ftp connection.
Create empty files and overwrite those 4 files with it.
You should be able to connect via login now. :)

---December 6, 2004

I had the same problem, very large email in root, was able to fix it by deleting that file and performing the operation as above, thanks

Fri Nov 3 00:29:20 2006: 2584   anonymous

If the root is full and we cannot log on from the console or remotely, how do we clean up the free up some space?

Please advise.

Fri Nov 3 03:17:15 2006: 2585   TonyLawrence

You probably CAN log in. See (link)

Thu Sep 16 19:28:31 2010: 8977   TonyG


If the root is full and we cannot log on from the console or remotely, how do we clean up the free up some space?

Please advise.

Thu Sep 16 19:58:00 2010: 8978   TonyLawrence


See (link)

Kerio Samepage

Have you tried Searching this site?

Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us