LOGIN(1) User Commands LOGIN(1)
NAME
login - sign on to the system
SYNOPSIS
login [
-p] [
-d device] [
-R repository] [
-s service]
[
-t terminal] [
-u identity] [
-U ruser]
[
-h hostname [terminal] |
-r hostname]
[
name [
environ]...]
DESCRIPTION
The
login command is used at the beginning of each terminal session to
identify oneself to the system.
login is invoked by the system when a
connection is first established, after the previous user has terminated
the login shell by issuing the
exit command.
If
login is invoked as a command, it must replace the initial command
interpreter. To invoke
login in this fashion, type:
exec login from the initial shell. The C shell and Korn shell have their own built-
ins of
login. See
ksh(1),
ksh93(1), and
csh(1) for descriptions of login
built-ins and usage.
login asks for your user name, if it is not supplied as an argument, and
your password, if appropriate. Where possible, echoing is turned off
while you type your password, so it does not appear on the written record
of the session.
If you make any mistake in the login procedure, the message:
Login incorrect
is printed and a new login prompt appears. If you make five incorrect
login attempts, all five can be logged in
/var/adm/loginlog, if it
exists. The
TTY line is dropped.
If password aging is turned on and the password has aged (see
passwd(1) for more information), the user is forced to changed the password. In
this case the
/etc/nsswitch.conf file is consulted to determine password
repositories. See
nsswitch.conf(5) for a list of valid nameservice
configurations that are permitted for the
passwd: database if password
aging is enabled.
Failure to comply with the configurations prevents the user from logging
onto the system because
passwd(1) fails. If you do not complete the login
successfully within a certain period of time, it is likely that you are
silently disconnected.
After a successful login, accounting files are updated. Device owner,
group, and permissions are set according to the contents of the
/etc/logindevperm file, and the time you last logged in is printed (see
logindevperm(5)).
The user-ID, group-ID, supplementary group list, and working directory
are initialized, and the command interpreter (usually
ksh) is started.
The basic
environment is initialized to:
HOME=
your-login-directory LOGNAME=
your-login-name PATH=/usr/bin:
SHELL=
last-field-of-passwd-entry MAIL=/var/mail/
TZ=
timezone-specification For Bourne shell and Korn shell logins, the shell executes
/etc/profile and
$HOME/.profile, if it exists.
For the
ksh93 Korn shell, an interactive shell then executes
/etc/ksh.kshrc, followed by the file specified by the
ENV environment
variable. If
$ENV is not set, this defaults to
$HOME/.kshrc. For the
ksh and
/usr/xpg4/bin/sh Korn Shell, an interactive shell executes the file
named by
$ENV (no default).
For C shell logins, the shell executes
/etc/.login,
$HOME/.cshrc, and
$HOME/.login. The default
/etc/profile and
/etc/.login files check quotas
(see
quota(8)), print
/etc/motd, and check for mail. None of the messages
are printed if the file
$HOME/.hushlogin exists. The name of the command
interpreter is set to
- (dash), followed by the last component of the
interpreter's path name, for example,
-sh.
If the
login-shell field in the password file (see
passwd(5)) is empty,
then the default command interpreter,
/usr/bin/sh, is used. If this field
is * (asterisk), then the named directory becomes the root directory. At
that point,
login is re-executed at the new level, which must have its
own root structure.
The environment can be expanded or modified by supplying additional
arguments to
login, either at execution time or when
login requests your
login name. The arguments can take either the form
xxx or
xxx=yyy.
Arguments without an
= (equal sign) are placed in the environment as:
L
n=xxx where
n is a number starting at
0 and is incremented each time a new
variable name is required. Variables containing an
= (equal sign) are
placed in the environment without modification. If they already appear in
the environment, then they replace the older values.
There are two exceptions: The variables
PATH and
SHELL cannot be changed.
This prevents people logged into restricted shell environments from
spawning secondary shells that are not restricted.
login understands
simple single-character quoting conventions. Typing a
\ (backslash) in
front of a character quotes it and allows the inclusion of such
characters as spaces and tabs.
Alternatively, you can pass the current environment by supplying the
-p flag to
login. This flag indicates that all currently defined environment
variables should be passed, if possible, to the new environment. This
option does not bypass any environment variable restrictions mentioned
above. Environment variables specified on the login line take
precedence, if a variable is passed by both methods.
To enable remote logins by root, edit the
/etc/default/login file by
inserting a
# (pound sign) before the
CONSOLE=/dev/console entry. See
FILES.
SECURITY
For accounts in name services which support automatic account locking,
the account can be configured to be automatically locked (see
user_attr(5) and
policy.conf(5)) if successive failed login attempts
equals or exceeds
RETRIES. Currently, only the files repository (see
passwd(5) and
shadow(5)) supports automatic account locking. See also
pam_unix_auth(7).
The
login command uses
pam(3PAM) for authentication, account management,
session management, and password management. The
PAM configuration
policy, listed through
/etc/pam.conf, specifies the modules to be used
for
login. Here is a partial
pam.conf file with entries for the
login command using the UNIX authentication, account management, and session
management modules:
login auth required pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
login account requisite pam_roles.so.1
login account required pam_unix_account.so.1
login session required pam_unix_session.so.1
The Password Management stack looks like the following:
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
If there are no entries for the service, then the entries for the
other service is used. If multiple authentication modules are listed, then the
user can be prompted for multiple passwords.
When
login is invoked through
rlogind or
telnetd, the service name used
by
PAM is
rlogin or
telnet, respectively.
OPTIONS
The following options are supported:
-d device login accepts a device option,
device.
device is taken to be the path name of the
TTY port
login is to operate on. The use of the device
option can be expected to improve
login performance, since
login does not need to call
ttyname(3C). The
-d option is available only to
users whose
UID and effective
UID are root. Any
other attempt to use
-d causes
login to quietly
exit.
-h hostname [
terminal]
Used by
in.telnetd(8) to pass information about
the remote host and terminal type.
Terminal type as a second argument to the
-h option should not start with a hyphen (
-).
-p Used to pass environment variables to the login
shell.
-r hostname Used by
in.rlogind(8) to pass information about
the remote host.
-R repository Used to specify the
PAM repository that should
be used to tell
PAM about the "
identity" (see
option
-u below). If no "
identity" information
is passed, the repository is not used.
-s service Indicates the
PAM service name that should be
used. Normally, this argument is not necessary
and is used only for specifying alternative
PAM service names. For example: "
ktelnet" for the
Kerberized telnet process.
-u identity Specifies the "
identity" string associated with
the user who is being authenticated. This
usually is
not be the same as that user's Unix
login name. For Kerberized login sessions, this
is the Kerberos principal name associated with
the user.
-U ruser Indicates the name of the person attempting to
login on the remote side of the rlogin
connection. When
in.rlogind(8) is operating in
Kerberized mode, that daemon processes the
terminal and remote user name information prior
to invoking
login, so the "
ruser" data is
indicated using this command line parameter.
Normally (non-Kerberos authenticated
rlogin),
the
login daemon reads the remote user
information from the client.
EXIT STATUS
The following exit values are returned:
0 Successful operation.
non-zero Error.
FILES
$HOME/.cshrc Initial commands for each
csh.
$HOME/.hushlogin Suppresses login messages.
$HOME/.kshrc User's commands for interactive
ksh93, if
$ENV is
unset; executes after
/etc/ksh.kshrc.
$HOME/.login User's login commands for
csh.
$HOME/.profile User's login commands for
sh,
ksh, and
ksh93.
$HOME/.rhosts Private list of trusted hostname/username
combinations.
/etc/.login System-wide
csh login commands.
/etc/issue Issue or project identification.
/etc/ksh.kshrc System-wide commands for interactive
ksh93.
/etc/logindevperm Login-based device permissions.
/etc/motd Message-of-the-day.
/etc/nologin Message displayed to users attempting to login
during machine shutdown.
/etc/passwd Password file.
/etc/profile System-wide
sh,
ksh, and
ksh93 login commands.
/etc/shadow List of users' encrypted passwords.
/usr/bin/sh User's default command interpreter.
/var/adm/lastlog Time of last login.
/var/adm/loginlog Record of failed login attempts.
/var/adm/utmpx Accounting.
/var/adm/wtmpx Accounting.
/var/mail/your-name Mailbox for user
your-name.
/etc/default/login Default value can be set for the following flags
in
/etc/default/login. Default values are
specified as comments in the
/etc/default/login file, for example,
TIMEZONE=EST5EDT.
TIMEZONE Sets the
TZ environment
variable of the shell (see
environ(7)).
HZ Sets the
HZ environment
variable of the shell.
ULIMIT Sets the file size limit
for the login. Units are
disk blocks. Default is
zero (no limit).
CONSOLE If set, root can login on
that device only. This
does not prevent execution
of remote commands with
rsh(1). Comment out this
line to allow login by
root.
PASSREQ Determines if login
requires a non-null
password.
ALTSHELL Determines if login should
set the
SHELL environment
variable.
PATH Sets the initial shell
PATH variable.
SUPATH Sets the initial shell
PATH variable for root.
TIMEOUT Sets the number of seconds
(between
0 and
900) to
wait before abandoning a
login session.
UMASK Sets the initial shell
file creation mode mask.
See
umask(1).
SYSLOG Determines whether the
syslog(3C) LOG_AUTH facility should be used to
log all root logins at
level
LOG_NOTICE and
multiple failed login
attempts at
LOG_CRIT.
DISABLETIME If present, and greater
than zero, the number of
seconds that
login waits
after
RETRIES failed
attempts or the
PAM framework returns
PAM_ABORT. Default is
20 seconds. Minimum is
0 seconds. No maximum is
imposed.
SLEEPTIME If present, sets the
number of seconds to wait
before the login failure
message is printed to the
screen. This is for any
login failure other than
PAM_ABORT. Another login
attempt is allowed,
providing
RETRIES has not
been reached or the
PAM framework is returned
PAM_MAXTRIES. Default is
4 seconds. Minimum is
0 seconds. Maximum is
5 seconds.
Both
su(8) and
sulogin(8) are affected by the value
of
SLEEPTIME.
RETRIES Sets the number of retries
for logging in (see
pam(3PAM)). The default is
5. The maximum number of
retries is 15. For
accounts configured with
automatic locking (see
SECURITY above), the
account is locked and
login exits. If automatic
locking has not been
configured,
login exits
without locking the
account.
SYSLOG_FAILED_LOGINS Used to determine how many
failed login attempts are
allowed by the system
before a failed login
message is logged, using
the
syslog(3C) LOG_NOTICE facility. For example, if
the variable is set to
0,
login logs
all failed
login attempts.
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Committed |
+--------------------+-----------------+
SEE ALSO
csh(1),
exit(1),
ksh(1),
ksh93(1),
mail(1),
mailx(1),
newgrp(1),
passwd(1),
rlogin(1),
rsh(1),
sh(1),
shell_builtins(1),
telnet(1),
umask(1),
syslog(3C),
ttyname(3C),
pam(3PAM),
rcmd(3SOCKET),
termio(4I),
auth_attr(5),
exec_attr(5),
hosts.equiv(5),
issue(5),
logindevperm(5),
loginlog(5),
nologin(5),
nsswitch.conf(5),
pam.conf(5),
passwd(5),
policy.conf(5),
profile(5),
shadow(5),
user_attr(5),
utmpx(5),
wtmpx(5),
attributes(7),
environ(7),
pam_authtok_check(7),
pam_authtok_get(7),
pam_authtok_store(7),
pam_dhkeys(7),
pam_passwd_auth(7),
pam_unix_account(7),
pam_unix_auth(7),
pam_unix_session(7),
in.rlogind(8),
in.telnetd(8),
logins(8),
quota(8),
su(8),
sulogin(8),
syslogd(8),
useradd(8),
userdel(8)DIAGNOSTICS
Login incorrect The user name or the password cannot be matched.
Not on system console Root login denied. Check the
CONSOLE setting in
/etc/default/login.
No directory! Logging in with home=/ The user's home directory named in the
passwd(5) database cannot be
found or has the wrong permissions. Contact your system
administrator.
No shell Cannot execute the shell named in the
passwd(5) database. Contact
your system administrator.
NO LOGINS: System going down in N minutes The machine is in the process of being shut down and logins have been
disabled.
WARNINGS
Users with a
UID greater than 76695844 are not subject to password aging,
and the system does not record their last login time.
If you use the
CONSOLE setting to disable root logins, you should arrange
that remote command execution by root is also disabled. See
rsh(1),
rcmd(3SOCKET), and
hosts.equiv(5) for further details.
NOTES
The
pam_unix(7) module is no longer supported. Similar functionality is
provided by
pam_unix_account(7),
pam_unix_auth(7),
pam_unix_session(7),
pam_authtok_check(7),
pam_authtok_get(7),
pam_authtok_store(7),
pam_dhkeys(7), and
pam_passwd_auth(7).
June 20, 2021
LOGIN(1)