util-linux login logs failed login attempts to /var/log/btmp. This logging happens even if the user doesn't exist. This can be fixed by not logging to btmp if pam retcode is PAM_USER_UNKNOWN. Here's a patch I made: --- util-linux-2.10f/login-utils/login.c-orig Tue Jan 23 14:22:09 2001 +++ util-linux-2.10f/login-utils/login.c Tue Jan 23 14:23:33 2001 @@ -592,7 +592,9 @@ pam_get_item(pamh, PAM_USER, (const void **) &username); syslog(LOG_NOTICE,_("FAILED LOGIN %d FROM %s FOR %s, %s"), failcount, hostname, username, pam_strerror(pamh, retcode)); - logbtmp(ttyn + 5, username, hostname); + /* Don't log to btmp if the user doesn't exist */ + if ( retcode != PAM_USER_UNKNOWN ) + logbtmp(ttyn + 5, username, hostname); fprintf(stderr,_("Login incorrect\n\n")); pam_set_item(pamh,PAM_USER,NULL); retcode = pam_authenticate(pamh, 0);
Transient errors on a network (i.e., downed NIS server) can also cause real users to come up as "unknown". The btmp file (according to the lastb man page) logs "bad login attempts", and I believe these qualify. If the issue is one of preventing users from seeing other users' passwords when said users aren't being observant while logging in, fixing the permissions on the file (or removing it) is simpler.