Not sure if I’m missing something, but I think there are some inconsistencies between the two log files. In the auth.log are two successful root logins from 65.2.161.68:
Mar 6 06:31:40 ip-172-31-35-28 sshd[2411]: Accepted password for root from 65.2.161.68 port 34782 ssh2
Mar 6 06:32:44 ip-172-31-35-28 sshd[2491]: Accepted password for root from 65.2.161.68 port 53184 ssh2
Whereas in the wtmp file, only one root login from 65.2.161.68 is contained:
If I remember correctly, one of the SSH sessions resulted from a brute-force attempt and was instantly terminated (within less than a second). This might have been fast enough to prevent creation of a terminal session, which would be created on top of the SSH session after its creation.
Yes that’s correct. I also thought about that. But even if the “bruteforce session” lasted only one second, the auth.log still says:
Mar 6 06:31:40 ip-172-31-35-28 sshd[2411]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Mar 6 06:31:40 ip-172-31-35-28 systemd-logind[411]: New session 34 of user root.
and
Mar 6 06:31:40 ip-172-31-35-28 systemd-logind[411]: Session 34 logged out. Waiting for processes to exit.
Mar 6 06:31:40 ip-172-31-35-28 systemd-logind[411]: Removed session 34.
But yeahr, maybe the session wasn’t long enough to result in an entry in the wtmp file. Idk.
I just tested it with my VM: When e.g. ssh -N is invoked, a sshd Session Opened and systemd-logind New Session entry are created in auth.log, but no tty entry (w) is created. Opening SSH, creating a login session and attaching to a tty are different steps. I guess this is what we see here.