> utmp:  I hope you're prepared to make 'who', 'finger' and 'w' sort their
> output :-) [db files are not stored in any meaningful order].

yep, that's a reasonable implementation detail.  (actually, "who",
etc. could walk through the ttys file to get the ordering..)

> wtmp: Why text?  That makes it that much easier for a newbie cracker wannabe
> to hack accounting records.

Because most other log files with variable-size records use text file
format.  

Besides, someone could always cook up a utmp-mode for emacs..

if you're really concerned about tampering by an intruder, marking the
file as append-only and/or using some sort of cryptographic
tamper-evident seals on the file seems like a better solution..

> This would be a boon, actually.  Would you show who the intruder was
> attempting to impersonate?

Not quite sure what you're talking about here..

This would be a per-user record indicating failed attempts to log in
as that user, so that login could print (for instance):

	"3 failed login attempts since last successful login"
	"last failed attempt from www.xxx.yy.zzz using ftp"

Conceivably, unauthenticated rlogin could indicate the user name
claimed by the remote system, and kerberos-authenticated logins could
indicate the remote principal name.  i'm not familiar enough with how
ssh does authorized_keys stuff to know if there's anything profitably
worth logging..

						- Bill