Originally posted by: Wouter Liefting
The "who" command does not list "active sessions". Technically speaking there is no such concept as an 'active session'. What really happens is that when a network connection is made to the sshd, the login process that runs on behalf of the sshd daemon, adds an entry to /tmp/utmp or wtmp or one of those files. When you do a proper disconnect of the sshd network connection, then the sshd logout process will remove the corresponding entry from /tmp/utmp or wtmp.
And all that who or w does, is list the contents of the /tmp/utmp or wtmp file.
Your first problem is the kill -9. With a kill -9, the sshd process is killed outright and is not able to run its own exit handler. That means that the wtmp file is not cleaned up, so the entry in there remains. To disconnect a session properly, just use the plain kill <PID> command. This sends signal 15 instead of signal 9, which causes the exit handler to run properly. Only when the sshd daemon (or any other daemon for that matter) hasn't exited by itself after a few seconds, should you send a kill -9.
Your second problem is that you are reading too much in the output of who. As I said, it doesn't show "active sessions" as that concept does not exist, technically speaking. All it shows is entries in the wtmp file that have not been cleaned out yet. And even though there may be an entry left in the wtmp file, once the sshd is gone, there really isn't anything anymore. So any spurious line leftover in the wtmp file cannot cause a security problem or whatever.
Edited:
I have never had the need to clean out the wtmp file, but I found this: http://www.tek-tips.com/viewthread.cfm?qid=1440324
It suggests there is a tool /usr/sbin/acct/fwtmp that allows you dump the wtmp file to a text file, so you can clean it out manually (grep or whatever) and then dump the pruned contents back.
And also read this: https://www-01.ibm.com/support/knowledgecenter/ssw_aix_61/com.ibm.aix.files/utmp.htm
#AIX-Forum