Multiple entries for the Discovery user in last command's output for SSH DiscoveryIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Multiple entries for the Discovery user will be observed in last command's output on the target server during SSH Discovery Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Not release specific Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Discovery in a single session can use multiple channels because of which there are multiple entries in last command's output but during manual execution its a single session as well as single channel for executing the commands hence only 1 entry in last command's output.This is expected behavior.During Discovery, every command executed on the target is run under sudo since most inventory and OS-level commands (e.g., dmidecode) require elevated privileges.To achieve this, the Discovery process always allocates a pseudo-terminal (pty). This is why you see multiple entries in last/wtmp.From the SSH debug logs, we can confirm the behavior:New channel opened for each command2025-08-07T05:21:10.468 DEBUG (SSHProtocolEngine) ... CHANNEL_OPEN_CONFIRMATION(3)2025-08-07T05:21:10.469 DEBUG (SSHProtocolEngine) ... Client channel 3 is associated with server channel 0➝ Discovery establishes a new SSH channel.Pseudo-terminal (pty) request sent2025-08-07T05:21:10.469 DEBUG (SSHProtocolEngine) ... Processing GetTerminalMsgAs ASCII: .... pty-req .... dumb2025-08-07T05:21:10.469 DEBUG (SSHProtocolEngine) ... CHANNEL_REQUEST type: pty-req2025-08-07T05:21:10.482 DEBUG (SSHProtocolEngine) ... Processing: CHANNEL_SUCCESS(3)➝ A pseudo-TTY is explicitly requested (pty-req) and accepted by the server.This allocation is what creates an entry in last command's output.Command executed inside the channelDEBUG (SSHProtocolEngine) ... Sending command: uname -aDEBUG (SSHProtocolEngine) ... Sending command: /sbin/dmidecode -t 1➝ The actual discovery command runs under sudo inside the TTY.Channel closed after executionDEBUG (SSHProtocolEngine) ... Processing CHANNEL_EOFDEBUG (SSHProtocolEngine) ... Processing CHANNEL_CLOSE➝ The channel is destroyed once the command finishes. For the next command, Discovery opens a new channel and repeats the cycle.Key ClarificationsAuthentication with password happens only once at session start.The "multiple login" entries you see in last/wtmp are not multiple authentications.They are the result of multiple pseudo-terminal allocations (pty-req) each time a new channel is opened for a command.This is by design in Discovery, to ensure privileged commands can be executed safely with sudo.Summary:Each command = new channel → pty allocated (pty-req) → sudo command runs → channel closed.This explains why audit logs show multiple logins even though there is only one SSH authentication.