login(1)login(1)NAMElogin - sign on
SYNOPSISlogin [ -d device ] [ name [ environ ... ]]
DESCRIPTION
The login command is used at the beginning of each terminal session and
allows you to identify yourself to the system. It is invoked by the
system when a connection is first established. It is invoked by the
system when a previous user has terminated the initial shell by typing a
<Ctrl-d> to indicate an end-of-file.
If login is invoked as a command, it must replace the initial command
interpreter. This is accomplished by typing
exec login
from the initial shell.
login asks for your user name (if it is not supplied as an argument) and,
if appropriate, your password. Echoing is turned off (where possible)
during the typing of your password, so it does not appear on the written
record of the session.
login reads /etc/default/login to determine default behavior. To change
the defaults, the system administrator should edit this file. The syntax
of the below lines within the /etc/default/login file must not contain
any whitespaces. The examples shown below are login defaults.
Recognized values are:
Note: If PAM (see pam(8)) is enabled, some of the options are not
supported.
CONSOLE=device If defined, only allows root logins on the device
specified, typically /dev/console. This MUST NOT be
defined as either /dev/syscon or /dev/systty. If
undefined, root can log in on any device.
PASSREQ=NO Determines whether all accounts must have passwords. If
YES, and user has no password, they are prompted for one
at login time.
Not supported when PAM is enabled.
MANDPASS=NO Like PASSREQ, but doesn't allow users with no password
to log in.
Not supported when PAM is enabled.
Page 1
login(1)login(1)
ALTSHELL=YES If YES, the environment variable SHELL is initialized.
UMASK=022 Default umask, in octal.
TIMEOUT=60 Exit login after this many seconds of inactivity
(maximum 900, or 15 minutes)
SLEEPTIME=1 Sleep for this many seconds before issuing "login
incorrect" message (maximum 60 seconds).
DISABLETIME=20 After LOGFAILURES or MAXTRYS unsuccessful attempts,
sleep for DISABLETIME seconds before exiting (no
maximum).
MAXTRYS=3 Exit login after MAXTRYS unsuccessful attempts (0 =
unlimited attempts).
LOGFAILURES=3 If there are LOGFAILURES consecutive unsuccessful login
attempts, each of them is logged in /var/adm/loginlog,
if it exists. LOGFAILURES has a maximum value of 20.
Note: Users get at most the minimum of (MAXTRYS,
LOGFAILURES) unsuccessful attempts.
IDLEWEEKS=-1 If nonnegative, specify a grace period during which
users with expired passwords are allowed to enter a new
password. In other words, accounts with expired
passwords can stay idle up to this long before being
"locked out." If IDLEWEEKS is 0, there is no grace
period, and expired passwords are the same as
invalidated passwords.
Not supported when PAM is enabled.
PATH= Path for normal users (from /usr/include/paths.h).
SUPATH= Path for superuser (from /usr/include/paths.h).
SYSLOG=FAIL Log to syslog all login failures (SYSLOG=FAIL) or all
successes and failures (SYSLOG=ALL). Log entries are
written to the LOG_AUTH facility (see syslog(3C) and
syslogd(1M) for details). No messages are sent to
syslog if not set. Note that this is separate from the
login log, /var/adm/loginlog.
INITGROUPS=YES If YES, make the user session be a member of all of the
user's supplementary groups (see multgrps(1) or
initgroups(3C)).
LANG=C If LANG is set, make this the default login language.
This is used if no LANG comes from environment (rlogind,
getty, ...) and $HOME/.lang does not exist or does not
Page 2
login(1)login(1)
contain a lang id. Only LANG is supported, not other
locale categories such as LC_CTYPE.
SVR4_SIGNALS=YES Use the SVR4 semantics for the SIGXCPU and SIGXFSZ
signals. If SVR4_SIGNALS=YES, the SVR4 semantics are
preserved and all processes ignore SIGXCPU and SIGXFSZ
by default. If SVR4_SIGNALS=NO, these two signals
retain their default action, which is to cause the
receiving process to core dump. If users intend to make
use of the CPU and filesize resource limits,
SVR4_SIGNALS should be set to NO. Note that using these
signals while SVR4_SIGNALS is set to YES causes behavior
that varies depending on the login shell. This setting
has no affect on processes that explicitly alter the
behavior of these signals using the signal(2) system
call.
SITECHECK= Use an external program to authenticate users instead of
using the encrypted password field. This allows sites
to implement other means of authentication, such as card
keys, biometrics, etc. The program is invoked with user
name as the first argument, and remote hostname and
username, if applicable. The action taken depend on
exit status, as follows:
0 Success; user was authenticated, log in.
1 Failure; exit login.
2 Failure; try again (don't exit login).
other Use normal UNIX authentication.
If authentication fails, the program can chose to
indicate either exit code 1 or 2, as appropriate. If
the program is not owned by root, is writable by others,
or cannot be executed, normal password authentication is
performed. It is recommended that the program be given
a mode of 500.
Warning: Because this option has the potential to
defeat normal IRIX security, any program used in this
way must be designed and tested very carefully.
Not supported when PAM is enabled.
LOCKOUT= If nonzero, after this number of consecutive
unsuccessful login attempts by the same user, by all
instances of xdm and login, lock the account by invoking
passwd -l username. Note that this feature allows a
denial of service attack that may require booting from
the miniroot to fix, as even the root accounts can be
Page 3
login(1)login(1)
locked out.
LOCKOUTEXEMPT= If LOCKOUT is greater than zero, the users listed as
LOCKOUTEXEMPT will NOT be subject to the LOCKOUT option.
Usernames are separated by spaces, the list must be
terminated by end-of-line, maximum list length is 240
characters. LOCKOUTEXEMPT is ignored unless LOCKOUT is
enabled, and the list is not empty. Including privileged
accounts (such as root) in the LOCKOUTEXEMPT list, is
not recommended, as it allows an indefinite number of
attacks on the exempt accounts. Also, if LOCKOUTEXEMPT
is enabled, the /etc/default/login file should be given
a mode 400 or 600 to prevent unauthorized viewing and/or
tampering with the LOCKOUTEXEMPT list.
MACREMOTE=SESSION
If SESSION, the session label of a remote login session
is always the same as that of the current login session.
If CLEARANCE, the default and permitted session labels
of a remote login session become those specified in
clearance(4).
At some installations, you may be required to enter a dialup password for
dialup connections as well as a login password. In this case, the prompt
for the dialup password is:
( dialup password is not supported when PAM is enabled. )
Dialup Password:
Both passwords are required for a successful login.
For remote logins over the network, the following sequence is performed
by login before prompting for a username or password:
o If PAM is disabled, the file /etc/nologin disables remote logins if it
exists; login prints the contents of this file before disconnecting
the session. If PAM is enabled, login skip /etc/nologin check and
depends on the configuration of the pam_nologin module ( see pam(8) )
in /etc/pam.d/login.
o login prints the contents of /etc/issue ( if present ).
The system can be configured to automate the login process after a system
restart. When the file /etc/autologin exists and contains a valid user
name, the system logs in as the specified user without prompting for a
user name or password. The automatic login takes place only after a
system restart; once the user logs out, the normal interactive login
session is used until the next restart. This is intended to be used at
sites where the normal security mechanisms provided by login are not
needed or desired. If you make five incorrect login attempts, all five
Page 4
login(1)login(1)
are logged in /var/adm/loginlog (if it exists) and the TTY line is
dropped. /etc/autologin.TTYLINE is like /etc/autologin except it is used
by getty(1m) when initiating a terminal session for the device named by
TTYLINE, and it will prompt for a password. For example
/etc/autologin.ttyd1 will control the login processes on /dev/ttyd1.
If you do not complete the login successfully within a certain period of
time (by default, 20 seconds), you are likely to be silently
disconnected.
After a successful login, accounting files are updated, the /etc/profile
script is executed, the time you last logged in is printed (unless a file
.hushlogin is present in the user's home directory), /etc/motd is
printed, the user ID, group ID, supplementary group list, working
directory, and command interpreter (usually sh) are initialized, and the
file .profile in the working directory is executed, if it exists. The
name of the command interpreter is - followed by the last component of
the interpreter's pathname (for example, -sh). If this field in the
password file is empty, the default command interpreter, /usr/bin/sh is
used.
If the shell field is *, the named directory becomes the root directory
(a chroot(2) is done to the home directory, and the home directory is
therefore the starting point (/) for path searches for pathnames
beginning with a /. At that point login is re-executed following the
chroot(2).
At the very least, this root structure must include the following files,
with usr/lib32/libc.so.1 normally being a symlink to
../../lib32/libc.so.1. A home directory must also exist, as well as the
shell for the user(s) being chroot'ed. It is possible to have the shell,
password, and home directory be different in the new environment. In
this example, the shell used is /sbin/csh, and the home directory is
/usr/people/olson. Given the following password entry, the directories
and files listed below would exist below the directory /home/secure.
Entry in /etc/passwd:
olson:hl0njohzc0uC2:2117:10:Dave Olson:/home/secure:*
Entry in /home/secure/etc/passwd:
olson:am34670a63463:2117:10:Dave Olson:/usr/people/olson:/sbin/csh
dev:
tty zero
etc:
group passwd
lib32:
libc.so.1 rld
sbin:
csh
usr/bin:
login
usr/lib32:
Page 5
login(1)login(1)
libc.so.1@ libcrypt.so libgen.so libpthread.so
usr/people/olson:
.cshrc
These files allow login to execute correctly, but you may also need to
include additional files or applications that the user is allowed to
execute. Since these applications can in turn rely on additional shared
libraries, it may also be necessary to place additional shared objects in
/usr/lib32. See the ftpd(1M) reference page for more information about
setting up a root environment.
The basic environment is initialized to:
HOME=your-login-directory
LOGNAME=your-login-name
PATH=/usr/bin
SHELL=last-field-of-passwd-entry
MAIL=/usr/mail/your-login-name
LANG=language-specification
TZ=timezone-specification
The environment can be expanded or modified by supplying additional
arguments when login prints the prompt requesting the user's login name.
The arguments can take either of two forms: xxx or xxx=yyy. Arguments
without an equal sign are placed in the environment as
Ln=xxx
where n is a number that starts at 0 and is incremented each time a new
variable name is required. Variables containing = are placed in the
environment without modification. If such a variable is already defined,
the new value replaces the old value. To prevent users who log in to
restricted shell environments from spawning secondary shells that are not
restricted, the following environment variables cannot be changed:
HOME
IFS
LOGNAME
PATH
SHELL
Attempts to set environment variables beginning with the following
strings (see the rld(1) reference page) are ignored, and such attempts
are logged via syslogd:
_RLD
LD_LIBRARY
login understands simple, single-character quoting conventions. Typing a
backslash in front of a character quotes it and allows the inclusion of
such characters as spaces and tabs.
Page 6
login(1)login(1)
The capability set and MAC label of a Trusted IRIX login session can also
be modified by supplying the CAP (see capability(4)) and MAC (see
dominance(5)) arguments in addition to the login name. The arguments
take the following form:
CAP=capability-set
MAC=MAC-label
For example, the following login prompt will set the MAC label of the
login shell to userlow with all capabilities:
login: username MAC=userlow CAP=all+eip
password:
To enable dial-in line password protection, two files are required. The
file /etc/dialups must contain of the name of any dialup ports (for
example, /dev/ttyd2) that require password protection. These are
specified one per line. The second file, /etc/d_passwd consists of lines
with the following format:
shell:password:
This file is scanned when the user logs in, and if the shell portion of
any line matches the command interpreter that the user gets, the user is
prompted for an additional dialin password, which is encoded and compared
to that specified in the password portion of the line. If the command
interpreter cannot be found, the entry for the default shell, /sbin/sh,
(or, for compatibility with existing configurations, /bin/sh) is used.
(If both are present, the last one in file is used.) If there is no such
entry, no dialup password is required. In other words, the /etc/d_passwd
entry for /sbin/sh is the default.
NOTES
Autologin is controlled by the existence of the /etc/autologin.on file.
The file is normally created at boot time to automate the login process
and then removed by login to disable the autologin process for succeeding
terminal sessions.
In the default configuration, encrypted passwords for users are kept in
the system password file, /etc/passwd, which is a text file and is
readable by any system user. The program pwconv(1M) can be used by the
system administrator to activate the shadow password mechanism. When
shadow passwords are enabled, the encrypted passwords are kept only in
/etc/shadow, a file that is only readable by the superuser. Refer to the
pwconv(1M) reference page for more information about shadow passwords.
FILES
/etc/dialups
Page 7
login(1)login(1)
/etc/d_passwd
/etc/motd message of the day
/etc/passwd password file
/etc/shadow shadow password file
/etc/profile system profile
$HOME/.profile user's login profile
$HOME/.lang user's login language specification
/usr/lib/iaf/scheme login authentication scheme
/var/adm/lastlog time of last login
/var/adm/loginlog record of failed login attempts
/var/adm/utmp accounting
/var/adm/wtmp accounting
/etc/default/login to determine default behavior
/var/mail/login_name mailbox for user login_name
/usr/lib/locale/locale/LC_MESSAGES/uxcore
language-specific message file (see LANG in
environ(5))
/etc/config/pam to determine whether PAM is enabled
SEE ALSOmail(1), newgrp(1), pwconv(1M), rexecd(1M), rshd(1M), sh(1), su(1M),
capability(4), dominance(5), loginlog(4), passwd(4), profile(4),
shadow(4), environ(5), pam(8).
DIAGNOSTICS
The message
UX:login: ERROR: Login incorrect
is printed if the user name or the password cannot be matched or if the
user's login account has expired or remained inactive for a period
greater than the system threshold.
The message
UX:login: ioctl() failed: TCSETA
is printed if the tty line does not support a requested baud rate
(specified for remote logins). A similar message is also sent to syslog.
See serial(7) for information on which baud rates are supported.
Page 8
