Duplicate pseudo terminals in linux

"I can't reproduce this behaviour here - whatever I do the utmp gets cleaned up - but the utmp updating is done by a helper program utempter, in /usr/lib/utempter, which is called by xterm, so if xterms are being killed stone dead for some reason (such as virtual memory being exhausted) it may be that it doesn't get a chance to clean up.

Note also that a security vulnerability was fixed in it http://rhn.redhat.com/errata/RHSA-2004-174.html
though I guess it's unlikely the user in question is causing disfunctions by deliberately exploiting that.

See if you can reproduce the behaviour by launching xterm in the background and killing it without giving it an opportunity to clean up utmp:
$ who
$ xterm &
[1] 6229
$ who
$ kill -9 6229
$ who

And one voodoo theory: I notice that xterm has a setting to make the utmp behaviour more careful. It is normally enabled by default and disabled by putting
XTerm*ptyHandshake: false

in ~/.Xresources or system-wide in /etc/X11/Xresources/xterm. It's unlikely to be that, but just a thought.

One workaround might be to persuade or compel users to use a different X terminal emulator such as rxvt, a smaller drop-in replacement that responds to existing xterm configuration settings, doesn't include the Tektronix 4014 line-drawing graphics emulation feature and uses significantly less memory to run."